Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infrection name unkonwn - Internet Explorer background voice, google search site redirects on firefox & IE


  • This topic is locked This topic is locked
9 replies to this topic

#1 brashcube46

brashcube46

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 08 January 2011 - 10:00 PM

A few days ago we started hearing recorded voice advertisements coming from our computer speakers when there weren't any browsers open. Also, every time I try and click on a Google search results I'm redirected to a random page. This happens in IE and Firefox. I can make the redirects stop if "Javascript is disabled" but this is obviously a short term solution.

Internet searching reveals that many people are experiencing similar symptoms. However, I have yet to find a solution that works for my machine.

See logs below.

DDS (Ver_10-12-12.02) - NTFSx86
Run by Rick at 19:50:00.65 on Sat 01/08/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.328 [GMT -5:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
D:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
D:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\WINDOWS\AGRSMMSG.exe
D:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
D:\Program Files\Mozilla Firefox 4.0 Beta 7\firefox.exe
D:\Program Files\Mozilla Firefox 4.0 Beta 7\plugin-container.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rick\Desktop\malware detect\dds.scr
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC12.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZENG12.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - d:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - d:\program files\norton antivirus\engine\18.1.0.37\IPSBHO.DLL
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - d:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - d:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - d:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - d:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - d:\program files\ask.com\GenericAskToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [j2 4.4] "d:\program files\j2 messenger 4.4\J2GDllCmd.exe" /R
uRun: [Google Update] "c:\documents and settings\rick\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [YMailAdvisor] "d:\program files\yahoo!\common\YMailAdvisor.exe"
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [QuickTime Task] "d:\program files\quicktime\qttask.exe" -atboottime
mRun: [Monitor] "d:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [Google Desktop Search] "d:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x08c5 -f video -m logitech -d 11.0.0.1217
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - d:\program files\apc\apc powerchute personal edition\Display.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - d:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} - hxxp://esupport.sony.com/VaioInfo.CAB
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - d:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1262150475843
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - d:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: d:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rick\applic~1\mozilla\firefox\profiles\0gjdy0ic.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnG=Google+Search&q=
FF - plugin: c:\documents and settings\rick\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\rick\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\rick\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\rick\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\rick\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: d:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: d:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: d:\program files\google\picasa3\npPicasa3.dll
FF - plugin: d:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: d:\program files\microsoft silverlight\4.0.50917.0\npctrlui.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - d:\program files\mozilla firefox 4.0 beta 7\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - d:\program files\mozilla firefox 4.0 beta 7\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Cooliris: piclens@cooliris.com - %profile%\extensions\piclens@cooliris.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - d:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\IPSFFPlgn

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-1-2 64288]
R0 si3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [1979-12-31 116264]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [1979-12-31 19240]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1205000.07d\symds.sys [2010-12-9 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1205000.07d\symefa.sys [2010-12-9 652336]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\bashdefs\20101123.003\BHDrvx86.sys [2010-11-22 691248]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1205000.07d\ironx86.sys [2010-12-9 136312]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-29 102448]
R3 NmPar;Unusable Parallel Port;c:\windows\system32\drivers\NmPar.sys [2008-12-24 80256]
R3 nmserial;PCI Serial Port;c:\windows\system32\drivers\NmSerial.sys [2008-12-16 70016]
S2 gupdate;Google Update Service (gupdate);d:\program files\google\update\GoogleUpdate.exe [2010-9-17 136176]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;d:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 1389400]
S2 NAV;Norton AntiVirus;d:\program files\norton antivirus\engine\18.5.0.125\ccsvchst.exe [2010-12-9 130000]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2010-1-26 18560]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;d:\program files\google\google desktop search\GoogleDesktop.exe [2010-2-6 30192]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\ipsdefs\20110104.001\IDSXpx86.sys [2011-1-5 341944]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;d:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-12-3 15264]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\9.tmp --> c:\windows\system32\9.tmp [?]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\virusdefs\20110106.003\NAVENG.SYS [2011-1-6 86008]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\virusdefs\20110106.003\NAVEX15.SYS [2011-1-6 1360760]

=============== Created Last 30 ================

2011-01-08 22:16:02 -------- d-----w- d:\program files\ESET
2011-01-08 22:05:21 -------- d-----w- d:\program files\trend micro
2011-01-08 13:42:27 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2011-01-08 13:31:50 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-01-08 13:31:34 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-01-08 07:09:19 -------- d-----w- c:\docume~1\rick\applic~1\Malwarebytes
2011-01-08 07:09:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-08 07:09:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-08 07:09:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-08 07:09:02 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2011-01-08 07:08:11 -------- d-s---w- C:\ComboFix
2011-01-08 06:45:20 1345624 ----a-w- C:\3423409.exe
2011-01-08 04:24:13 -------- d-----w- d:\program files\Sophos
2011-01-07 04:05:26 -------- d-sha-r- C:\cmdcons
2011-01-02 13:57:18 15880 ----a-w- c:\windows\system32\lsdelete.exe
2011-01-02 11:06:17 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-01-02 11:06:11 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-01-02 11:04:00 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2011-01-02 11:03:26 -------- d-----w- d:\program files\Lavasoft
2010-12-31 12:48:08 -------- d-----w- c:\docume~1\rick\locals~1\applic~1\Research In Motion
2010-12-31 12:48:06 -------- d-----w- c:\docume~1\rick\applic~1\Research In Motion
2010-12-31 12:47:40 27136 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2010-12-31 12:47:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\Research In Motion
2010-12-31 12:46:32 -------- d-----w- d:\program files\Research In Motion
2010-12-31 12:46:32 -------- d-----w- c:\program files\common files\Research In Motion
2010-12-14 21:26:53 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-12 17:25:01 -------- d-----w- d:\program files\Mozilla Firefox 4.0 Beta 7

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-18 23:40:02 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

============= FINISH: 19:56:52.62 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:54 AM

Posted 13 January 2011 - 05:50 PM

Hello brashcube46 ,

Posted Image

Sorry for the delay. :( If you still need help, please post a new DDS/HijackThis log and I'll be happy to look at it. :) Please also post the ComboFix report since I see you've run it already.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 brashcube46

brashcube46
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 14 January 2011 - 01:44 PM

An updated DDS log is below. I attempted to run ComboFix but it will only start "at my own risk" because it thinks Norton Antivirus is running. However, Norton will not open when I attempt to launch it. And, when I look at the "Norton Antivirus" service in Administrative Tools it says that it is "stopped".

Any ideas?


DDS (Ver_10-12-12.02) - NTFSx86
Run by Rick at 10:50:43.37 on Fri 01/14/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.402 [GMT -5:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
D:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
D:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
D:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\WINDOWS\AGRSMMSG.exe
D:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
D:\Program Files\Mozilla Firefox 4.0 Beta 7\firefox.exe
D:\Program Files\Mozilla Firefox 4.0 Beta 7\plugin-container.exe
C:\Documents and Settings\Rick\Desktop\malware detect\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - d:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - d:\program files\norton antivirus\engine\18.1.0.37\IPSBHO.DLL
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - d:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - d:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - d:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - d:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - d:\program files\ask.com\GenericAskToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [j2 4.4] "d:\program files\j2 messenger 4.4\J2GDllCmd.exe" /R
uRun: [Google Update] "c:\documents and settings\rick\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [YMailAdvisor] "d:\program files\yahoo!\common\YMailAdvisor.exe"
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [QuickTime Task] "d:\program files\quicktime\qttask.exe" -atboottime
mRun: [Monitor] "d:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [Google Desktop Search] "d:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x08c5 -f video -m logitech -d 11.0.0.1217
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - d:\program files\apc\apc powerchute personal edition\Display.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - d:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} - hxxp://esupport.sony.com/VaioInfo.CAB
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - d:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1262150475843
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1294584550524
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - d:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: d:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rick\applic~1\mozilla\firefox\profiles\0gjdy0ic.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnG=Google+Search&q=
FF - plugin: c:\documents and settings\rick\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\rick\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\rick\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\rick\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\rick\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: d:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: d:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: d:\program files\google\picasa3\npPicasa3.dll
FF - plugin: d:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: d:\program files\microsoft silverlight\4.0.51204.0\npctrlui.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - d:\program files\mozilla firefox 4.0 beta 7\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - d:\program files\mozilla firefox 4.0 beta 7\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Cooliris: piclens@cooliris.com - %profile%\extensions\piclens@cooliris.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - d:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\IPSFFPlgn

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-1-2 64288]
R0 si3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [1979-12-31 116264]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [1979-12-31 19240]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1205000.07d\symds.sys [2010-12-9 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1205000.07d\symefa.sys [2010-12-9 652336]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\bashdefs\20101123.003\BHDrvx86.sys [2010-11-22 691248]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1205000.07d\ironx86.sys [2010-12-9 136312]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;d:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 1402272]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-29 102448]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;d:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-12-3 15264]
R3 NmPar;Unusable Parallel Port;c:\windows\system32\drivers\NmPar.sys [2008-12-24 80256]
R3 nmserial;PCI Serial Port;c:\windows\system32\drivers\NmSerial.sys [2008-12-16 70016]
S2 gupdate;Google Update Service (gupdate);d:\program files\google\update\GoogleUpdate.exe [2010-9-17 136176]
S2 NAV;Norton AntiVirus;d:\program files\norton antivirus\engine\18.5.0.125\ccsvchst.exe [2010-12-9 130000]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2010-1-26 18560]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;d:\program files\google\google desktop search\GoogleDesktop.exe [2010-2-6 30192]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\ipsdefs\20110104.001\IDSXpx86.sys [2011-1-5 341944]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\9.tmp --> c:\windows\system32\9.tmp [?]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\virusdefs\20110106.003\NAVENG.SYS [2011-1-6 86008]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\virusdefs\20110106.003\NAVEX15.SYS [2011-1-6 1360760]

=============== Created Last 30 ================

2011-01-09 20:38:35 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-01-09 20:38:35 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-01-08 22:16:02 -------- d-----w- d:\program files\ESET
2011-01-08 22:05:21 -------- d-----w- d:\program files\trend micro
2011-01-08 13:42:27 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2011-01-08 13:31:50 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-01-08 13:31:34 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-01-08 07:09:19 -------- d-----w- c:\docume~1\rick\applic~1\Malwarebytes
2011-01-08 07:09:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-08 07:09:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-08 07:09:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-08 07:09:02 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2011-01-08 07:08:11 -------- d-s---w- C:\ComboFix
2011-01-08 06:45:20 1345624 ----a-w- C:\3423409.exe
2011-01-08 04:24:13 -------- d-----w- d:\program files\Sophos
2011-01-07 04:05:26 -------- d-sha-r- C:\cmdcons
2011-01-02 13:57:18 15880 ----a-w- c:\windows\system32\lsdelete.exe
2011-01-02 11:06:17 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-01-02 11:06:11 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-01-02 11:04:00 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2011-01-02 11:03:26 -------- d-----w- d:\program files\Lavasoft
2010-12-31 12:48:08 -------- d-----w- c:\docume~1\rick\locals~1\applic~1\Research In Motion
2010-12-31 12:48:06 -------- d-----w- c:\docume~1\rick\applic~1\Research In Motion
2010-12-31 12:47:40 27136 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2010-12-31 12:47:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\Research In Motion
2010-12-31 12:46:32 -------- d-----w- d:\program files\Research In Motion
2010-12-31 12:46:32 -------- d-----w- c:\program files\common files\Research In Motion

==================== Find3M ====================

2010-12-02 03:35:18 4280320 ----a-w- c:\windows\system32\GPhotos.scr
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-18 23:40:02 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

============= FINISH: 10:57:41.06 ===============

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:54 AM

Posted 14 January 2011 - 02:09 PM

Hi there :)

I didn't ask you to run ComboFix again. I asked for the report from when you ran it before. That's all I need for now. :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 brashcube46

brashcube46
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 14 January 2011 - 03:29 PM

Excellent point. See below.

ComboFix 11-01-06.03 - Rick 01/06/2011 23:10:06.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.622 [GMT -5:00]
Running from: c:\documents and settings\Rick\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\sst67A.sys
D:\install.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_sst67A
-------\Service_sst67A


((((((((((((((((((((((((( Files Created from 2010-12-07 to 2011-01-07 )))))))))))))))))))))))))))))))
.

2011-01-02 13:57 . 2010-12-03 09:05 15880 ----a-w- c:\windows\system32\lsdelete.exe
2011-01-02 13:43 . 2011-01-02 13:47 -------- d-----w- c:\documents and settings\Rick\Application Data\GetRightToGo
2011-01-02 11:06 . 2010-12-03 09:05 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-01-02 11:06 . 2011-01-02 11:06 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-01-02 11:04 . 2011-01-02 11:04 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\Sunbelt Software
2011-01-02 11:04 . 2011-01-02 11:04 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2011-01-02 11:03 . 2011-01-02 11:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-01-02 11:03 . 2011-01-02 11:03 -------- d-----w- d:\program files\Lavasoft
2011-01-02 00:18 . 2011-01-02 00:18 0 ----a-w- c:\windows\system32\drivers\sst67A.tmp
2010-12-31 12:48 . 2010-12-31 12:48 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\Research In Motion
2010-12-31 12:48 . 2010-12-31 12:48 -------- d-----w- c:\documents and settings\Rick\Application Data\Research In Motion
2010-12-31 12:47 . 2009-01-09 22:18 27136 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2010-12-31 12:47 . 2010-12-31 12:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2010-12-31 12:46 . 2010-12-31 12:46 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-12-31 12:46 . 2010-12-31 12:46 -------- d-----w- d:\program files\Research In Motion
2010-12-25 18:56 . 2010-12-25 18:56 -------- d-----w- c:\program files\Common Files\Skype
2010-12-14 21:26 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-12 17:25 . 2010-12-24 12:53 -------- d-----w- d:\program files\Mozilla Firefox 4.0 Beta 7
2010-12-09 20:09 . 2010-12-09 20:10 -------- d-----w- c:\windows\system32\drivers\NAV\1205000.07D

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2009-12-30 05:07 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2001-08-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2001-08-23 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2001-08-23 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2009-12-30 13:30 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2001-08-23 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-11-01 19:39 . 2009-12-30 14:54 15256 ----a-w- c:\documents and settings\Rick\Application Data\Microsoft\IdentityCRL\ppcrlconfig.dll
2010-10-28 13:13 . 2001-08-23 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2001-08-23 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-18 23:40 . 2009-12-30 14:16 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-10-18 23:40 . 2009-12-30 14:16 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-08-11 20:57 . 2010-02-07 00:56 119808 ----a-w- d:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-09-02 19:56 1175944 ----a-w- d:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "d:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-02 1175944]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"j2 4.4"="d:\program files\j2 Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]
"Google Update"="c:\documents and settings\Rick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-09-17 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-06 335872]
"YMailAdvisor"="d:\program files\Yahoo!\Common\YMailAdvisor.exe" [2009-05-08 174424]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 88361]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"Monitor"="d:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-11-08 193880]
"Google Desktop Search"="d:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-11 30192]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2009-12-17 149224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2007-05-11 441120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - d:\program files\APC\APC PowerChute Personal Edition\Display.exe [2010-5-11 221247]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Documents and Settings\\Rick\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"d:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/2/2011 6:06 AM 64288]
R0 si3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [12/31/1979 7:00 PM 116264]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [12/31/1979 7:00 PM 19240]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/30/2009 9:29 AM 691696]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1205000.07D\symds.sys [12/9/2010 3:10 PM 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1205000.07D\symefa.sys [12/9/2010 3:10 PM 652336]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20101123.003\BHDrvx86.sys [11/22/2010 9:20 PM 691248]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1205000.07D\ironx86.sys [12/9/2010 3:10 PM 136312]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;d:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/3/2010 4:05 AM 1389400]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/29/2010 1:07 PM 102448]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;d:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12/3/2010 4:05 AM 15264]
R3 NmPar;Unusable Parallel Port;c:\windows\system32\drivers\NmPar.sys [12/24/2008 5:40 AM 80256]
R3 nmserial;PCI Serial Port;c:\windows\system32\drivers\NmSerial.sys [12/16/2008 6:10 AM 70016]
S2 gupdate;Google Update Service (gupdate);d:\program files\Google\Update\GoogleUpdate.exe [9/17/2010 7:33 PM 136176]
S2 NAV;Norton AntiVirus;d:\program files\Norton AntiVirus\Engine\18.5.0.125\ccsvchst.exe [12/9/2010 3:09 PM 130000]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [1/26/2010 7:45 PM 18560]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;d:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/6/2010 7:56 PM 30192]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110104.001\IDSXpx86.sys [1/5/2011 6:27 PM 341944]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-11-22 19:18 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2011-01-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- d:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 09:05]

2011-01-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- d:\program files\Google\Update\GoogleUpdate.exe [2010-09-18 00:33]

2011-01-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- d:\program files\Google\Update\GoogleUpdate.exe [2010-09-18 00:33]

2011-01-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-2000478354-1801674531-1003Core.job
- c:\documents and settings\Rick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-17 01:02]

2011-01-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-2000478354-1801674531-1003UA.job
- c:\documents and settings\Rick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-17 01:02]

2011-01-06 c:\windows\Tasks\Norton Security Scan for Rick.job
- d:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-07-10 14:06]

2011-01-07 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- d:\program files\Ask.com\UpdateTask.exe [2009-09-02 19:56]

2011-02-28 c:\windows\Tasks\User_Feed_Synchronization-{C2210375-15D4-4C75-85FD-7999CC8CBB03}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\Rick\Application Data\Mozilla\Firefox\Profiles\0gjdy0ic.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnG=Google+Search&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - d:\program files\Mozilla Firefox 4.0 Beta 7\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - d:\program files\Mozilla Firefox 4.0 Beta 7\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Cooliris: piclens@cooliris.com - %profile%\extensions\piclens@cooliris.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - d:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\IPSFFPlgn
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
AddRemove-LADSPA_plugins-win_is1 - d:\program files\Audacity 1.3 Beta (Unicode)\Plug-Ins\Plug-Ins\unins000.exe
AddRemove-NAV - d:\program files\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV\562C4DD5\18.1.0.37\InstStub.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - d:\program files\DivX\DivXCodecUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-07 01:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"d:\program files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe\" /s \"NAV\" /m \"d:\program files\Norton AntiVirus\Engine\18.5.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2792)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
d:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\HPZipm12.exe
d:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\System32\wbem\unsecapp.exe
d:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\AGRSMMSG.exe
d:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
d:\program files\Mozilla Firefox 4.0 Beta 7\firefox.exe
d:\program files\Mozilla Firefox 4.0 Beta 7\plugin-container.exe
d:\program files\Internet Explorer\iexplore.exe
d:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2011-01-07 01:57:27 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-07 06:56

Pre-Run: 4,164,562,944 bytes free
Post-Run: 7,937,630,208 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - FB9F6B12846D784D6951EBFBE7C4B4A3

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:54 AM

Posted 14 January 2011 - 05:05 PM

Thanks for that. :thumbup2:

I see pieces of Hitman Pro, Sophos, as well as Norton. 2 of them need to go. That may be part of what's causing problems with ComboFix.

Also, this file seems to be pretty stubborn, so see if it's still there and delete it if it still is : c:\windows\system32\drivers\sst67A.tmp and c:\windows\system32\drivers\sst67A.sys

Uninstall the ComboFix you have now and get another :

Uninstall ComboFix by doing the following :

Click Start>Run>Type in, or copy and paste ComboFix /Uninstall > click OK

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to brashcube.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 brashcube46

brashcube46
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 14 January 2011 - 08:04 PM

I removed Sophos and Norton. I only ran a "one-time scan" w/ Hitman and never completed a full installation. All other requested steps were completed, as well. See below for ComboFix log.

ComboFix 11-01-14.01 - Rick 01/14/2011 19:15:12.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.645 [GMT -5:00]
Running from: c:\documents and settings\Rick\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\3423409.exe

.
((((((((((((((((((((((((( Files Created from 2010-12-15 to 2011-01-15 )))))))))))))))))))))))))))))))
.

2011-01-09 20:38 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-01-08 22:16 . 2011-01-08 22:16 -------- d-----w- d:\program files\ESET
2011-01-08 22:05 . 2011-01-08 22:05 -------- d-----w- C:\rsit
2011-01-08 22:05 . 2011-01-08 22:05 -------- d-----w- d:\program files\trend micro
2011-01-08 20:55 . 2011-01-08 20:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2011-01-08 13:42 . 2008-04-14 00:10 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2011-01-08 13:31 . 2011-01-08 13:41 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-01-08 13:31 . 2011-01-08 13:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-01-08 07:09 . 2011-01-08 07:09 -------- d-----w- c:\documents and settings\Rick\Application Data\Malwarebytes
2011-01-08 07:09 . 2011-01-08 07:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-08 07:09 . 2011-01-14 23:02 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2011-01-08 04:24 . 2011-01-08 04:24 -------- d-----w- d:\program files\Sophos
2011-01-07 13:02 . 2011-01-07 13:02 -------- d-----w- c:\documents and settings\rdavis3
2011-01-02 13:57 . 2010-12-03 09:05 15880 ----a-w- c:\windows\system32\lsdelete.exe
2011-01-02 11:06 . 2010-12-03 09:05 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-01-02 11:06 . 2011-01-02 11:06 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-01-02 11:04 . 2011-01-02 11:04 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2011-01-02 11:03 . 2011-01-02 11:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-01-02 11:03 . 2011-01-02 11:03 -------- d-----w- d:\program files\Lavasoft
2010-12-31 12:48 . 2010-12-31 12:48 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\Research In Motion
2010-12-31 12:48 . 2010-12-31 12:48 -------- d-----w- c:\documents and settings\Rick\Application Data\Research In Motion
2010-12-31 12:47 . 2009-01-09 22:18 27136 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2010-12-31 12:47 . 2010-12-31 12:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2010-12-31 12:46 . 2010-12-31 12:46 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-12-31 12:46 . 2010-12-31 12:46 -------- d-----w- d:\program files\Research In Motion
2010-12-25 18:56 . 2010-12-25 18:56 -------- d-----w- c:\program files\Common Files\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-02 03:35 . 2010-12-02 03:35 4280320 ----a-w- c:\windows\system32\GPhotos.scr
2010-12-01 05:24 . 2010-12-09 20:10 368248 ----a-w- c:\windows\system32\drivers\NAV\1205000.07D\symtdi.sys
2010-12-01 05:24 . 2010-12-09 20:10 295032 ----a-w- c:\windows\system32\drivers\NAV\1205000.07D\symnets.sys
2010-12-01 05:23 . 2010-12-09 20:10 330360 ----a-w- c:\windows\system32\drivers\NAV\1205000.07D\symtdiv.sys
2010-11-23 04:08 . 2010-12-09 20:10 509560 ----a-w- c:\windows\system32\drivers\NAV\1205000.07D\srtsp.sys
2010-11-23 04:08 . 2010-12-09 20:10 50168 ----a-w- c:\windows\system32\drivers\NAV\1205000.07D\srtspx.sys
2010-11-18 18:12 . 2009-12-30 05:07 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-18 02:59 . 2010-12-09 20:10 652336 ----a-w- c:\windows\system32\drivers\NAV\1205000.07D\symefa.sys
2010-11-16 01:45 . 2010-12-09 20:10 136312 ----a-w- c:\windows\system32\drivers\NAV\1205000.07D\ironx86.sys
2010-11-09 14:52 . 2001-08-23 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2001-08-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2001-08-23 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2001-08-23 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2009-12-30 13:30 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2001-08-23 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-11-01 19:39 . 2009-12-30 14:54 15256 ----a-w- c:\documents and settings\Rick\Application Data\Microsoft\IdentityCRL\ppcrlconfig.dll
2010-10-28 13:13 . 2001-08-23 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2001-08-23 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-21 02:28 . 2010-12-09 20:10 340016 ----a-w- c:\windows\system32\drivers\NAV\1205000.07D\symds.sys
2010-08-11 20:57 . 2010-02-07 00:56 119808 ----a-w- d:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-09-02 19:56 1175944 ----a-w- d:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "d:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-02 1175944]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"j2 4.4"="d:\program files\j2 Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]
"Google Update"="c:\documents and settings\Rick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-09-17 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-06 335872]
"YMailAdvisor"="d:\program files\Yahoo!\Common\YMailAdvisor.exe" [2009-05-08 174424]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 88361]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"Monitor"="d:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-11-08 193880]
"Google Desktop Search"="d:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-11 30192]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2009-12-17 149224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2007-05-11 441120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - d:\program files\APC\APC PowerChute Personal Edition\Display.exe [2010-5-11 221247]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Documents and Settings\\Rick\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"d:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/2/2011 6:06 AM 64288]
R0 si3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [12/31/1979 7:00 PM 116264]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [12/31/1979 7:00 PM 19240]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;d:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/3/2010 4:05 AM 1402272]
R3 NmPar;Unusable Parallel Port;c:\windows\system32\drivers\NmPar.sys [12/24/2008 5:40 AM 80256]
R3 nmserial;PCI Serial Port;c:\windows\system32\drivers\NmSerial.sys [12/16/2008 6:10 AM 70016]
S2 gupdate;Google Update Service (gupdate);d:\program files\Google\Update\GoogleUpdate.exe [9/17/2010 7:33 PM 136176]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [1/26/2010 7:45 PM 18560]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;d:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/6/2010 7:56 PM 30192]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\9.tmp --> c:\windows\system32\9.tmp [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/30/2009 9:29 AM 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-11-22 19:18 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2011-01-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- d:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 09:04]

2011-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- d:\program files\Google\Update\GoogleUpdate.exe [2010-09-18 00:33]

2011-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- d:\program files\Google\Update\GoogleUpdate.exe [2010-09-18 00:33]

2011-01-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-2000478354-1801674531-1003Core.job
- c:\documents and settings\Rick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-17 01:02]

2011-01-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-2000478354-1801674531-1003UA.job
- c:\documents and settings\Rick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-17 01:02]

2011-01-15 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- d:\program files\Ask.com\UpdateTask.exe [2009-09-02 19:56]

2011-02-28 c:\windows\Tasks\User_Feed_Synchronization-{C2210375-15D4-4C75-85FD-7999CC8CBB03}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\Rick\Application Data\Mozilla\Firefox\Profiles\0gjdy0ic.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnG=Google+Search&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - d:\program files\Mozilla Firefox 4.0 Beta 7\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - d:\program files\Mozilla Firefox 4.0 Beta 7\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Cooliris: piclens@cooliris.com - %profile%\extensions\piclens@cooliris.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - d:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-14 19:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\9.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(224)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
d:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\HPZipm12.exe
d:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\System32\wbem\unsecapp.exe
d:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\AGRSMMSG.exe
d:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
d:\program files\Internet Explorer\iexplore.exe
d:\program files\Internet Explorer\iexplore.exe
d:\program files\Internet Explorer\iexplore.exe
d:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2011-01-14 20:00:42 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-15 01:00
ComboFix2.txt 2011-01-07 06:57

Pre-Run: 7,886,405,632 bytes free
Post-Run: 8,261,025,792 bytes free

- - End Of File - - D8BACB32B65570312FD58AAFC5266D26

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:54 AM

Posted 15 January 2011 - 12:28 PM

Thank you for that. :thumbup2:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

KILLALL::
Folder::
d:\program files\Ask.com
File::
c:\windows\system32\9.tmp
Registry::
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

How is it running? Are you still redirected?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 brashcube46

brashcube46
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 15 January 2011 - 02:33 PM

Using your script w/ ComboFix Blue Screened the computer two times. I deleted the Ask.com directly manually and could not find a file called 9.tmp in the windows\system32 directory.

I modified the script to only delete the registry entries and ran ComboFix again ... which finally ran.

Below is my modified script.

KILLALL::
Registry::
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

Below is the output log.

After ComboFix completed IE will not launch now w/o crashing and Google results still redirect in Firefox. What's next?

-----


ComboFix 11-01-14.01 - Rick 01/15/2011 13:32:48.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.647 [GMT -5:00]
Running from: c:\documents and settings\Rick\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rick\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
.

((((((((((((((((((((((((( Files Created from 2010-12-15 to 2011-01-15 )))))))))))))))))))))))))))))))
.

2011-01-15 01:43 . 2011-01-15 01:43 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\Help
2011-01-15 01:38 . 2011-01-15 01:39 -------- d-----w- d:\program files\Silicon Image
2011-01-15 01:12 . 2011-01-15 02:06 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-01-15 01:12 . 2011-01-15 01:12 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-01-15 01:12 . 2011-01-15 01:12 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-01-15 01:12 . 2011-01-15 01:12 -------- d-----w- d:\program files\Symantec
2011-01-15 01:11 . 2011-01-15 01:11 -------- d-----w- d:\program files\NortonInstaller
2011-01-09 20:38 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-01-08 22:16 . 2011-01-08 22:16 -------- d-----w- d:\program files\ESET
2011-01-08 22:05 . 2011-01-08 22:05 -------- d-----w- C:\rsit
2011-01-08 22:05 . 2011-01-08 22:05 -------- d-----w- d:\program files\trend micro
2011-01-08 20:55 . 2011-01-08 20:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2011-01-08 13:42 . 2008-04-14 00:10 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2011-01-08 13:31 . 2011-01-08 13:41 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-01-08 13:31 . 2011-01-08 13:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-01-08 07:09 . 2011-01-08 07:09 -------- d-----w- c:\documents and settings\Rick\Application Data\Malwarebytes
2011-01-08 07:09 . 2011-01-08 07:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-08 07:09 . 2011-01-14 23:02 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2011-01-08 04:24 . 2011-01-08 04:24 -------- d-----w- d:\program files\Sophos
2011-01-07 13:02 . 2011-01-07 13:02 -------- d-----w- c:\documents and settings\rdavis3
2011-01-02 13:57 . 2010-12-03 09:05 15880 ----a-w- c:\windows\system32\lsdelete.exe
2011-01-02 11:06 . 2010-12-03 09:05 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-01-02 11:06 . 2011-01-02 11:06 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-01-02 11:04 . 2011-01-02 11:04 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2011-01-02 11:03 . 2011-01-02 11:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-01-02 11:03 . 2011-01-02 11:03 -------- d-----w- d:\program files\Lavasoft
2010-12-31 12:48 . 2010-12-31 12:48 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\Research In Motion
2010-12-31 12:48 . 2010-12-31 12:48 -------- d-----w- c:\documents and settings\Rick\Application Data\Research In Motion
2010-12-31 12:47 . 2009-01-09 22:18 27136 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2010-12-31 12:47 . 2010-12-31 12:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2010-12-31 12:46 . 2010-12-31 12:46 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-12-31 12:46 . 2010-12-31 12:46 -------- d-----w- d:\program files\Research In Motion
2010-12-25 18:56 . 2010-12-25 18:56 -------- d-----w- c:\program files\Common Files\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-02 03:35 . 2010-12-02 03:35 4280320 ----a-w- c:\windows\system32\GPhotos.scr
2010-12-01 05:24 . 2010-12-09 20:10 368248 ----a-r- c:\windows\system32\drivers\NAV\1205000.07D\symtdi.sys
2010-12-01 05:24 . 2010-12-09 20:10 295032 ----a-r- c:\windows\system32\drivers\NAV\1205000.07D\symnets.sys
2010-12-01 05:23 . 2010-12-09 20:10 330360 ----a-r- c:\windows\system32\drivers\NAV\1205000.07D\symtdiv.sys
2010-11-23 04:08 . 2010-12-09 20:10 509560 ----a-r- c:\windows\system32\drivers\NAV\1205000.07D\srtsp.sys
2010-11-23 04:08 . 2010-12-09 20:10 50168 ----a-r- c:\windows\system32\drivers\NAV\1205000.07D\srtspx.sys
2010-11-18 18:12 . 2009-12-30 05:07 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-18 02:59 . 2010-12-09 20:10 652336 ----a-r- c:\windows\system32\drivers\NAV\1205000.07D\symefa.sys
2010-11-16 01:45 . 2010-12-09 20:10 136312 ----a-r- c:\windows\system32\drivers\NAV\1205000.07D\ironx86.sys
2010-11-09 14:52 . 2001-08-23 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2001-08-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2001-08-23 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2001-08-23 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2009-12-30 13:30 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2001-08-23 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-11-01 19:39 . 2009-12-30 14:54 15256 ----a-w- c:\documents and settings\Rick\Application Data\Microsoft\IdentityCRL\ppcrlconfig.dll
2010-10-28 13:13 . 2001-08-23 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2001-08-23 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-21 02:28 . 2010-12-09 20:10 340016 ----a-r- c:\windows\system32\drivers\NAV\1205000.07D\symds.sys
2010-08-11 20:57 . 2010-02-07 00:56 119808 ----a-w- d:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot@2011-01-15_00.46.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-09-23 06:35 . 2005-09-23 06:35 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0ee63867\vcomp.dll
+ 2005-09-23 05:58 . 2005-09-23 05:58 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80KOR.dll
+ 2005-09-23 05:58 . 2005-09-23 05:58 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80JPN.dll
+ 2005-09-23 05:58 . 2005-09-23 05:58 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80ITA.dll
+ 2005-09-23 05:58 . 2005-09-23 05:58 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80FRA.dll
+ 2005-09-23 05:58 . 2005-09-23 05:58 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80ESP.dll
+ 2005-09-23 05:58 . 2005-09-23 05:58 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80ENU.dll
+ 2005-09-23 05:58 . 2005-09-23 05:58 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80DEU.dll
+ 2005-09-23 05:58 . 2005-09-23 05:58 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80CHT.dll
+ 2005-09-23 05:58 . 2005-09-23 05:58 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0\mfc80CHS.dll
+ 2005-09-23 06:16 . 2005-09-23 06:16 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfcm80u.dll
+ 2005-09-23 06:16 . 2005-09-23 06:16 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfcm80.dll
+ 2011-01-15 19:02 . 2011-01-15 19:02 16384 c:\windows\Temp\Perflib_Perfdata_7bc.dat
+ 2011-01-15 19:03 . 2011-01-15 19:03 16384 c:\windows\Temp\Perflib_Perfdata_238.dat
+ 2011-01-15 01:38 . 2007-08-29 08:04 19240 c:\windows\system32\ReinstallBackups\0015\DriverFiles\SiWinAcc.sys
- 2001-08-23 12:00 . 2010-11-20 20:42 67312 c:\windows\system32\perfc009.dat
+ 2001-08-23 12:00 . 2011-01-15 18:18 67312 c:\windows\system32\perfc009.dat
+ 1980-01-01 00:00 . 2010-02-03 19:37 19240 c:\windows\system32\drivers\SiWinAcc.sys
- 1980-01-01 00:00 . 2007-08-29 08:04 19240 c:\windows\system32\drivers\SiWinAcc.sys
- 2009-12-30 05:11 . 2011-01-14 23:45 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-30 05:11 . 2011-01-15 19:02 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-30 05:11 . 2011-01-15 19:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-12-30 05:11 . 2011-01-14 23:45 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-12-30 05:11 . 2011-01-14 23:45 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-12-30 05:11 . 2011-01-15 19:02 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2007-08-29 08:04 . 2010-02-03 19:37 118824 c:\windows\system32\SilSupp.dll
- 2007-08-29 08:04 . 2007-08-29 08:04 118824 c:\windows\system32\SilSupp.dll
+ 2011-01-15 01:38 . 2007-08-29 08:04 118824 c:\windows\system32\ReinstallBackups\0015\DriverFiles\SilSupp.dll
+ 2011-01-15 01:38 . 2007-08-29 08:04 116264 c:\windows\system32\ReinstallBackups\0015\DriverFiles\SI3112r.sys
+ 2001-08-23 12:00 . 2011-01-15 18:18 432356 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2010-11-20 20:42 432356 c:\windows\system32\perfh009.dat
+ 1980-01-01 00:00 . 2010-02-03 19:37 115752 c:\windows\system32\drivers\SI3112r.sys
+ 2011-01-15 04:12 . 2011-01-15 04:12 628224 c:\windows\Installer\bf4f0e.msi
+ 2011-01-15 01:39 . 2011-01-15 01:39 210432 c:\windows\Installer\320d0b.msi
+ 2011-01-15 01:38 . 2011-01-15 01:38 451584 c:\windows\Installer\320d07.msi
+ 2011-01-15 01:38 . 2011-01-15 01:38 213504 c:\windows\Installer\320d03.msi
+ 2005-09-23 06:16 . 2005-09-23 06:16 1079808 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfc80u.dll
+ 2005-09-23 06:16 . 2005-09-23 06:16 1093632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfc80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"j2 4.4"="d:\program files\j2 Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]
"Google Update"="c:\documents and settings\Rick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-09-17 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-06 335872]
"YMailAdvisor"="d:\program files\Yahoo!\Common\YMailAdvisor.exe" [2009-05-08 174424]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 88361]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"Monitor"="d:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-11-08 193880]
"Google Desktop Search"="d:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-11 30192]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2009-12-17 149224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2007-05-11 441120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - d:\program files\APC\APC PowerChute Personal Edition\Display.exe [2010-5-11 221247]
SATARaid.lnk - c:\windows\Installer\{D28ED536-CCD0-4F38-987C-A57177371172}\_C44874295DD9B5E8BC3D7A.exe [2011-1-14 1078]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Documents and Settings\\Rick\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"d:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/2/2011 6:06 AM 64288]
R0 si3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [12/31/1979 7:00 PM 115752]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [12/31/1979 7:00 PM 19240]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1205000.07D\symds.sys [12/9/2010 3:10 PM 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1205000.07D\symefa.sys [12/9/2010 3:10 PM 652336]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\BASHDefs\20101123.003\BHDrvx86.sys [1/14/2011 8:11 PM 691248]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1205000.07D\ironx86.sys [12/9/2010 3:10 PM 136312]
R2 NAV;Norton AntiVirus;d:\program files\Norton AntiVirus\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe [1/14/2011 8:11 PM 130000]
R2 SiHbaWakeupService;Silicon Image HBA Wakeup Utility;d:\program files\Silicon Image\Silicon Image HBA Wakeup Utility\SiHbaWakeupService.exe [7/28/2009 10:43 AM 62464]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/15/2011 12:18 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\IPSDefs\20110114.002\IDSXpx86.sys [1/14/2011 8:36 PM 341944]
R3 NmPar;Unusable Parallel Port;c:\windows\system32\drivers\NmPar.sys [12/24/2008 5:40 AM 80256]
R3 nmserial;PCI Serial Port;c:\windows\system32\drivers\NmSerial.sys [12/16/2008 6:10 AM 70016]
S2 gupdate;Google Update Service (gupdate);d:\program files\Google\Update\GoogleUpdate.exe [9/17/2010 7:33 PM 136176]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;d:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/3/2010 4:05 AM 1402272]
S3 EraserUtilDrvI10;EraserUtilDrvI10;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI10.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI10.sys [?]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [1/26/2010 7:45 PM 18560]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;d:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/6/2010 7:56 PM 30192]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\9.tmp --> c:\windows\system32\9.tmp [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/30/2009 9:29 AM 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-11-22 19:18 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2011-01-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- d:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 09:04]

2011-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- d:\program files\Google\Update\GoogleUpdate.exe [2010-09-18 00:33]

2011-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- d:\program files\Google\Update\GoogleUpdate.exe [2010-09-18 00:33]

2011-01-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-2000478354-1801674531-1003Core.job
- c:\documents and settings\Rick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-17 01:02]

2011-01-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-2000478354-1801674531-1003UA.job
- c:\documents and settings\Rick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-17 01:02]

2011-02-28 c:\windows\Tasks\User_Feed_Synchronization-{C2210375-15D4-4C75-85FD-7999CC8CBB03}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\Rick\Application Data\Mozilla\Firefox\Profiles\0gjdy0ic.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnG=Google+Search&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - d:\program files\Mozilla Firefox 4.0 Beta 7\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - d:\program files\Mozilla Firefox 4.0 Beta 7\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Cooliris: piclens@cooliris.com - %profile%\extensions\piclens@cooliris.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - d:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-15 14:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"d:\program files\Norton AntiVirus\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe\" /s \"NAV\" /m \"d:\program files\Norton AntiVirus\Norton AntiVirus\Engine\18.5.0.125\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\9.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4076)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\xpsp3res.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
d:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\HPZipm12.exe
d:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\AGRSMMSG.exe
d:\program files\Silicon Image\3x12-W-I32-R SATARAID\SATARaid.exe
d:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
d:\program files\Internet Explorer\iexplore.exe
d:\program files\Internet Explorer\iexplore.exe
d:\program files\Internet Explorer\iexplore.exe
d:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2011-01-15 14:23:02 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-15 19:22
ComboFix2.txt 2011-01-15 01:01
ComboFix3.txt 2011-01-07 06:57

Pre-Run: 7,632,982,016 bytes free
Post-Run: 7,620,661,248 bytes free

- - End Of File - - A363DC7A4E397F9F351505881B69B74E

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:54 AM

Posted 15 January 2011 - 02:42 PM

If you can't follow my instructions, or keep from modifying the scripts, then we're done here. I won't be responsible for things you do on your own. <_< I asked you to do them for a reason.

Uninstall ComboFix by doing the following :

Click Start>Run>Type in, or copy and paste ComboFix /Uninstall > click OK

Regards,
teacup61
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users