Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"213.174.137.82" has hijacked Google homepage


  • Please log in to reply
11 replies to this topic

#1 chaossock

chaossock

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 11 March 2012 - 02:19 AM

Hello Bleeping,

In short, it seems a virus has "hijacked" my Google.com (I use FireFox 10.0.2), as well as disabling Captchas and various other website features. Google searches return legit results, but every link is a redirect of some sort. Also, general PC performance is reduced to varying degrees. Access to 'My Computer' has been affected, and at least once the machine has failed to shut down on its own.

For reference, this guy seems to have a similar issue:
http://www.bleepingcomputer.com/forums/topic441410.html

Also, this poster seems to have the same GMER rootkit as me
http://www.bleepingcomputer.com/forums/topic445784.html



Detailed rundown / story -- DDS log is below this if you want to skip all the details.

I'm posting from my Laptop; my desktop is infected and here are its specs:
Win XP Home Edition 32 bit (5.1, Build 2600), service pack 3
AMD Athlon 64 Processor @ 1.8 Ghz
Abit AV8 Mobo
1 gig of system ram
GeForce 7800GS AGP GPU w/ 256mb ram


Thursday night ago I'm using my computer normally. I dont remember doing anything odd, but my computer slows to an absolute crawl. I am forced to shut down. The next day computer seems to be running better, but begins lagging too much, so I run a full chkdsk (with repair bad sectors) at start-up -- drive is totally clean. I update Malwarebytes (which i use in conjunction with Symantec Anti Virus), and perform a full scan, which takes about 5x longer than normal. Zero objects infected, no issues found.

Using Firefox / Google, I discover these symptoms:

-www.Google.com seems to have been hijacked by this virus. It's not the real google page, but a replication of it which lacks the auto-fill feature, as well as normal links at the bottom of the Google's home page (like Business Solutions, Privacy Policy, etc.)

-when loading Google.com, status bar indicates a connection to the IP of 213.174.137.82. Also, when I hover over the "Sign in" link at the top right, an abnormal link appears -- accounts(dot)google(dot)com/ServiceLogin?hl=en&continue=http://209.85.145.103

-When doing a search, normal results appear (wikipedia, etc.) but every link is a worthless redirect.

-Captchas seem to be universally disabled. For example, I could not register for BleepingComputer on the infected computer because the question / answer verification captcha was instead an ad for Pizza Hut. Captchas are just non-existant on other sites.

Unable to do a system restore in the normal XP environtment, I start in safe-mode restore to about a week earlier. System restarts, all seems well... but within 15 minutes the "213.174.137.82" reloads itself over google, and my computer slows to a crawl.

If you're still reading, bare with me... I'm almost through. I use system restore to jump ahead to the latest restore point I had (but still predating the initial infection). After the restore, a fake "anti-virus" program begins scanning my computer and systematically closing all the programs that usually run at start-up / in my system tray. This is what I had, and it seems like the OP of that thread may have the same virus. So, I return to the initial restore-point I used, and thankfully it's just the "213.174.137.82" Google hijack, no cancerous "Internet Security Center."

I have run DDS and GMER. The 1st GMER scan I did took a long while before BSOD'd my computer. I restarted, scanned again, and finished without issue in about 2 minutes.

______________________

DDS LOG:

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
Run by BK Broiler at 20:38:56 on 2012-03-10
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.296 [GMT -8:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\BeSecure 2005\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\BeSecure 2005\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol 120\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\BeSecure 2005\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\BeSecure 2005\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\BESECU~1\SYMANT~2\VPTray.exe
C:\Program Files\BeSecure 2005\Symantec AntiVirus\DoScan.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFIA.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFIA.EXE
C:\Program Files\Belkin\F6D4050\v1\BelkinWCUI.exe
C:\Program Files\iPod\bin\iPodService.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: {348FE907-249E-4C65-A838-F34A193FE1D1} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [EPSON NX510 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatifia.exe /fu "c:\docume~1\bkbroi~1\locals~1\temp\E_S3.tmp" /EF "HKCU"
uRun: [Epson Stylus NX510(Network)] c:\windows\system32\spool\drivers\w32x86\3\e_fatifia.exe /fu "c:\windows\temp\E_S82.tmp" /EF "HKCU"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\besecu~1\symant~2\VPTray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [MDDiskProtect.exe] c:\program files\mediafour\macdrive\MDDiskProtect.exe
mRun: [MediafourGettingStartedWithMacDrive6] "c:\program files\mediafour\macdrive\MacDrive.exe" /runonce
mRun: [Mediafour Mac Volume Notifications] "c:\program files\common files\mediafour\MACVNTFY.EXE" /auto
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [systemrxxt.exe] c:\systemrxxt.exe\systemrxxt.exe
StartupFolder: c:\docume~1\bkbroi~1\startm~1\programs\startup\my_aut~1.lnk - c:\games\warcraft iii\warkeys\autowarkey\autohotkey\AutoHotkey.exe
StartupFolder: c:\documents and settings\bk broiler\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\f6d4050\v1\BelkinWCUI.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E7D864D8-72D1-4483-8382-37ED47074668} : DhcpNameServer = 192.168.1.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: MacDrive-iTunes compatibility - c:\program files\common files\mediafour\MacDriveiTunesPatch.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 94.63.147.16 www.google.com
Hosts: 94.63.147.17 www.bing.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\bk broiler\application data\mozilla\firefox\profiles\q59pjwsp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\media players\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\program files\media players\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\program files\media players\realplayer\netscape6\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MDPMGRNT;MDPMGRNT;c:\windows\system32\drivers\MDPMGRNT.SYS [2005-7-6 44404]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2004-4-28 77312]
R1 MDFSYSNT;MDFSYSNT;c:\windows\system32\drivers\MDFSYSNT.SYS [2005-7-6 277352]
R1 SAVRT;SAVRT;c:\program files\besecure 2005\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\besecure 2005\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2005-4-8 239216]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-25 189736]
R2 StarWindService;StarWind iSCSI Service;c:\program files\alcohol 120\alcohol 120\starwind\StarWindService.exe [2005-4-2 217600]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\besecure 2005\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20120217.004\naveng.sys [2012-2-17 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20120217.004\navex15.sys [2012-2-17 1576312]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2009-7-29 637952]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-3-22 450400]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\bw2ndis5.sys --> c:\windows\system32\drivers\BW2NDIS5.sys [?]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]
S3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5b.sys [2003-9-2 44032]
S3 jbridgep;jbridgep;c:\docume~1\bkbroi~1\locals~1\temp\jbridgep.sys [2004-9-2 31744]
S3 SavRoam;SAVRoam;c:\program files\besecure 2005\symantec antivirus\SavRoam.exe [2005-4-17 124608]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2011-2-2 96488]
S4 Vax347b;Vax347b;c:\windows\system32\drivers\Vax347b.sys [2006-3-20 159616]
S4 Vax347s;Vax347s;c:\windows\system32\drivers\Vax347s.sys [2006-3-20 5248]
.
=============== Created Last 30 ================
.
2012-03-10 17:11:13 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-03-10 17:11:13 -------- d-----w- c:\windows\system32\wbem\Repository
2012-03-05 00:24:19 -------- d-----w- c:\documents and settings\bk broiler\application data\Aladdin Systems
2012-02-15 09:09:08 -------- d-----w- c:\program files\common files\Native Instruments
2012-02-15 09:09:08 -------- d-----w- c:\documents and settings\all users\application data\Native Instruments
2012-02-15 05:44:04 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-15 05:44:04 3072 ------w- c:\windows\system32\iacenc.dll
.
==================== Find3M ====================
.
2012-01-12 16:53:24 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-19 08:53:33 667136 ----a-w- c:\windows\system32\wininet.dll
2011-12-19 08:53:33 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-12-19 08:53:32 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-12-16 13:16:31 369664 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 20:40:03.78 ===============

_______________________

GMER / attach.txt's are attached.

Thank you!!

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:41 PM

Posted 11 March 2012 - 09:41 AM

hi chaossock,

Your post is a few days old. If you still need help simply reply back.

How Can I Reduce My Risk to Malware?


#3 chaossock

chaossock
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 11 March 2012 - 01:47 PM

Hello shelf life,

Yes, i am still in need of help =(

Thanks

#4 shelf life

shelf life

  • Malware Response Team
  • 2,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:41 PM

Posted 11 March 2012 - 03:26 PM

ok. Lets start with tdsskiller and go on from there:



Please download TDSS Killer.exe and save it to your desktop
Double click to launch the utility. After it initializes click the start scan button.

Once the scan completes you can click the continue button.

"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."

"After clicking Next, the utility applies selected actions and outputs the result."

"A reboot might require after disinfection."

A report will be found in your Root drive Local Disk © as: TDSSKiller.2.7.9.0_05.02.2012_17.32.21_log (name, version#, date, time)

How Can I Reduce My Risk to Malware?


#5 chaossock

chaossock
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 11 March 2012 - 04:12 PM

I ran TDSS killer, which cured one object and is in quarantine. "213.174.137.82" still loads on Google, and this odd little program that's in the 'My Documents' / 'All Users' folder also exists called binlabel.exe . It keeps trying to access the internet and I've blocked it with Symantec. It might be malware.

edit: forgot to mention -- binlabel.exe was created yesterday. it wont allow me to delete it as it's write protected; a google search on it did no yield much.


TDSS Killer log:

2011/09/03 04:47:16.0468 0476 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57
2011/09/03 04:47:18.0468 0476 ================================================================================
2011/09/03 04:47:18.0468 0476 SystemInfo:
2011/09/03 04:47:18.0468 0476
2011/09/03 04:47:18.0500 0476 OS Version: 5.1.2600 ServicePack: 3.0
2011/09/03 04:47:18.0500 0476 Product type: Workstation
2011/09/03 04:47:18.0500 0476 ComputerName: JUNIOR
2011/09/03 04:47:18.0500 0476 UserName: BK Broiler
2011/09/03 04:47:18.0500 0476 Windows directory: C:\WINDOWS
2011/09/03 04:47:18.0500 0476 System windows directory: C:\WINDOWS
2011/09/03 04:47:18.0500 0476 Processor architecture: Intel x86
2011/09/03 04:47:18.0500 0476 Number of processors: 1
2011/09/03 04:47:18.0500 0476 Page size: 0x1000
2011/09/03 04:47:18.0500 0476 Boot type: Normal boot
2011/09/03 04:47:18.0500 0476 ================================================================================
2011/09/03 04:47:19.0750 0476 Initialize success
2011/09/03 04:47:38.0609 5064 ================================================================================
2011/09/03 04:47:38.0609 5064 Scan started
2011/09/03 04:47:38.0609 5064 Mode: Manual;
2011/09/03 04:47:38.0609 5064 ================================================================================
2011/09/03 04:47:39.0640 5064 A3AB (76624408401443bb7920af70183a7d27) C:\WINDOWS\system32\DRIVERS\A3AB.sys
2011/09/03 04:47:40.0187 5064 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/03 04:47:40.0281 5064 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/09/03 04:47:40.0484 5064 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/09/03 04:47:40.0578 5064 AegisP (023867b6606fbabcdd52e089c4a507da) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/09/03 04:47:40.0640 5064 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/09/03 04:47:41.0062 5064 ALCXWDM (7262f401de59bbbf24b03eefcb87263d) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2011/09/03 04:47:41.0343 5064 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2011/09/03 04:47:41.0500 5064 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/09/03 04:47:41.0781 5064 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/03 04:47:41.0875 5064 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/03 04:47:42.0000 5064 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/03 04:47:42.0093 5064 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/03 04:47:42.0203 5064 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/03 04:47:42.0375 5064 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/03 04:47:42.0578 5064 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/03 04:47:42.0671 5064 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/03 04:47:42.0718 5064 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/03 04:47:43.0109 5064 ctljystk (71007bd2e1e26927fe3e4eb00c0beedf) C:\WINDOWS\system32\DRIVERS\ctljystk.sys
2011/09/03 04:47:43.0406 5064 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/03 04:47:43.0531 5064 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/03 04:47:43.0640 5064 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/03 04:47:43.0687 5064 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/03 04:47:43.0796 5064 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/03 04:47:43.0953 5064 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/03 04:47:44.0125 5064 eeCtrl (8f7dbc4be48f5388a6fe1f285e7948ef) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/09/03 04:47:44.0265 5064 emu10k (01f83e1b5dce05f5cb7d99113ca9e890) C:\WINDOWS\system32\drivers\emu10k1m.sys
2011/09/03 04:47:44.0343 5064 emu10k1 (7ffa171cce6a8bfc774862a578ba39a2) C:\WINDOWS\system32\drivers\ctlfacem.sys
2011/09/03 04:47:44.0437 5064 ENUM1394 (80d1b490b60e74e002dc116ec5d41748) C:\WINDOWS\system32\DRIVERS\enum1394.sys
2011/09/03 04:47:44.0609 5064 EraserUtilDrv11113 (3ee14d400e0fdd0d214275a4a20b7022) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11113.sys
2011/09/03 04:47:44.0796 5064 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/03 04:47:44.0890 5064 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/09/03 04:47:44.0953 5064 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/03 04:47:45.0031 5064 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/09/03 04:47:45.0093 5064 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/09/03 04:47:45.0234 5064 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/03 04:47:45.0281 5064 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/03 04:47:45.0359 5064 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2011/09/03 04:47:45.0437 5064 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/09/03 04:47:45.0515 5064 GETNDIS (7e18ecafac6a0f359b0d25e3dd19b786) C:\WINDOWS\system32\DRIVERS\getnd5b.sys
2011/09/03 04:47:45.0640 5064 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/03 04:47:45.0718 5064 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/03 04:47:45.0843 5064 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/09/03 04:47:45.0921 5064 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/09/03 04:47:46.0000 5064 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/09/03 04:47:46.0078 5064 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/03 04:47:46.0265 5064 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/03 04:47:46.0343 5064 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/03 04:47:46.0562 5064 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/09/03 04:47:46.0656 5064 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/03 04:47:46.0734 5064 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/03 04:47:46.0796 5064 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/03 04:47:46.0890 5064 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/03 04:47:46.0937 5064 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/03 04:47:47.0000 5064 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/03 04:47:47.0203 5064 jbridgep (b97f189728d0655d468ec6002b5f6a97) C:\DOCUME~1\BKBROI~1\LOCALS~1\Temp\jbridgep.sys
2011/09/03 04:47:47.0312 5064 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/03 04:47:47.0390 5064 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/03 04:47:47.0468 5064 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/03 04:47:47.0640 5064 MDFSYSNT (1397ac5445b3da9745dc2840a9e8bd5c) C:\WINDOWS\system32\drivers\MDFSYSNT.sys
2011/09/03 04:47:47.0734 5064 MDPMGRNT (6bcedcecc4f1194d7c7c1652ca1a583d) C:\WINDOWS\system32\drivers\MDPMGRNT.sys
2011/09/03 04:47:47.0812 5064 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/03 04:47:47.0906 5064 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/03 04:47:47.0984 5064 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/03 04:47:48.0015 5064 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/09/03 04:47:48.0062 5064 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/03 04:47:48.0156 5064 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/03 04:47:48.0234 5064 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/03 04:47:48.0390 5064 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/03 04:47:48.0468 5064 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/03 04:47:48.0546 5064 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/03 04:47:48.0609 5064 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/03 04:47:48.0671 5064 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/03 04:47:48.0765 5064 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/03 04:47:48.0968 5064 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110902.002\naveng.sys
2011/09/03 04:47:49.0046 5064 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110902.002\navex15.sys
2011/09/03 04:47:49.0187 5064 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/03 04:47:49.0250 5064 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/03 04:47:49.0343 5064 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/03 04:47:49.0390 5064 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/03 04:47:49.0468 5064 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/03 04:47:49.0593 5064 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/03 04:47:49.0671 5064 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/03 04:47:50.0031 5064 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/09/03 04:47:50.0156 5064 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
2011/09/03 04:47:50.0234 5064 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/03 04:47:50.0296 5064 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/03 04:47:50.0406 5064 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/03 04:47:50.0687 5064 nv (8c0456001b6900114bbb1c548bd8aaf5) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/09/03 04:47:51.0031 5064 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/03 04:47:51.0093 5064 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/03 04:47:51.0171 5064 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/09/03 04:47:51.0265 5064 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/09/03 04:47:51.0312 5064 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/03 04:47:51.0406 5064 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/03 04:47:51.0484 5064 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/03 04:47:51.0656 5064 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/09/03 04:47:52.0187 5064 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/03 04:47:52.0265 5064 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/09/03 04:47:52.0375 5064 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/03 04:47:52.0453 5064 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/03 04:47:52.0515 5064 PxHelp20 (81088114178112618b1c414a65e50f7c) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/09/03 04:47:52.0875 5064 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/03 04:47:52.0968 5064 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/03 04:47:53.0062 5064 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/03 04:47:53.0140 5064 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/03 04:47:53.0218 5064 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/03 04:47:53.0296 5064 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/03 04:47:53.0390 5064 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/03 04:47:53.0484 5064 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/03 04:47:53.0687 5064 rt2870 (65a31e0eeaacc22871fe97c5ac23156c) C:\WINDOWS\system32\DRIVERS\rt2870.sys
2011/09/03 04:47:53.0828 5064 SAVRT (a00d5aa4748a1002590f08aa00fc660d) C:\Program Files\BeSecure 2005\Symantec AntiVirus\savrt.sys
2011/09/03 04:47:53.0906 5064 SAVRTPEL (1e805005583be1c1568a3fce259c81e3) C:\Program Files\BeSecure 2005\Symantec AntiVirus\Savrtpel.sys
2011/09/03 04:47:53.0984 5064 sbp2port (b244960e5a1db8e9d5d17086de37c1e4) C:\WINDOWS\system32\DRIVERS\sbp2port.sys
2011/09/03 04:47:54.0140 5064 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/03 04:47:54.0250 5064 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/09/03 04:47:54.0312 5064 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/09/03 04:47:54.0406 5064 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/09/03 04:47:54.0500 5064 sfman (0b1a5e9cacb5cdd54a2815107bd7c772) C:\WINDOWS\system32\drivers\sfmanm.sys
2011/09/03 04:47:54.0875 5064 SPBBCDrv (c30fa11923892a4dbd1c747db8492e8f) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2011/09/03 04:47:54.0953 5064 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/03 04:47:55.0046 5064 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/03 04:47:55.0171 5064 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/03 04:47:55.0265 5064 ssadbus (406776fe3c2b66796bac1a7afb9ac8a1) C:\WINDOWS\system32\DRIVERS\ssadbus.sys
2011/09/03 04:47:55.0359 5064 sscdbus (ffe42941e0326c322f40b0b79a46493c) C:\WINDOWS\system32\DRIVERS\sscdbus.sys
2011/09/03 04:47:55.0453 5064 sscdmdfl (a68e7d87adfbb8c50d88cd58230c6819) C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
2011/09/03 04:47:55.0531 5064 sscdmdm (b534b24151281856ec2f69ed3d6d60dd) C:\WINDOWS\system32\DRIVERS\sscdmdm.sys
2011/09/03 04:47:55.0687 5064 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/03 04:47:55.0718 5064 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/03 04:47:55.0968 5064 SYMDNS (1f0a3f93fecba6e873e75ac34538708b) C:\WINDOWS\System32\Drivers\SYMDNS.SYS
2011/09/03 04:47:56.0046 5064 SymEvent (b3f8b9eab2ebe205c0fe053fba951d8c) C:\Program Files\Symantec\SYMEVENT.SYS
2011/09/03 04:47:56.0140 5064 SYMFW (ca212638c07f7a1736667319589f416e) C:\WINDOWS\System32\Drivers\SYMFW.SYS
2011/09/03 04:47:56.0218 5064 SYMIDS (83a0415ab669afe9f2b7fccc52f23153) C:\WINDOWS\System32\Drivers\SYMIDS.SYS
2011/09/03 04:47:56.0343 5064 SYMIDSCO (2133d1f879b280121b0e6a7d34b24a02) C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\SCFIDS~1\20110831.001\symidsco.sys
2011/09/03 04:47:56.0437 5064 SYMNDIS (2a8ebb694d702d91d8046b31c3da2220) C:\WINDOWS\System32\Drivers\SYMNDIS.SYS
2011/09/03 04:47:56.0500 5064 SYMREDRV (7c73b65f1bdfab9052a5076c0ca622de) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2011/09/03 04:47:56.0578 5064 SYMTDI (b4562798891dca27ed67ca07acbadbd9) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2011/09/03 04:47:56.0796 5064 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/03 04:47:56.0875 5064 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/03 04:47:56.0953 5064 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/03 04:47:57.0000 5064 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/03 04:47:57.0062 5064 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/03 04:47:57.0296 5064 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/03 04:47:57.0421 5064 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/03 04:47:57.0546 5064 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/09/03 04:47:57.0640 5064 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/09/03 04:47:57.0765 5064 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/03 04:47:57.0812 5064 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/03 04:47:57.0875 5064 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/09/03 04:47:57.0937 5064 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/09/03 04:47:58.0031 5064 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/03 04:47:58.0093 5064 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/09/03 04:47:58.0187 5064 usb_rndisx (b6cc50279d6cd28e090a5d33244adc9a) C:\WINDOWS\system32\DRIVERS\usb8023x.sys
2011/09/03 04:47:58.0281 5064 Vax347b (cb3400d696bee266c38cae330c2b4337) C:\WINDOWS\system32\DRIVERS\Vax347b.sys
2011/09/03 04:47:58.0343 5064 Vax347s (113e4b318bbaa7483ca4e582a4d63f49) C:\WINDOWS\system32\Drivers\Vax347s.sys
2011/09/03 04:47:58.0406 5064 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/09/03 04:47:58.0515 5064 viaagp1 (4b039bbd037b01f5db5a144c837f283a) C:\WINDOWS\system32\DRIVERS\viaagp1.sys
2011/09/03 04:47:58.0562 5064 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/09/03 04:47:58.0609 5064 viasraid (ebe101c01d80a42868f57b327be1b564) C:\WINDOWS\system32\DRIVERS\viasraid.sys
2011/09/03 04:47:58.0656 5064 vncdrv (67e6daca80eb4e1cba2ca02a09e76f32) C:\WINDOWS\system32\DRIVERS\vncdrv.sys
2011/09/03 04:47:58.0703 5064 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/03 04:47:58.0812 5064 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/03 04:47:58.0906 5064 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/03 04:47:59.0250 5064 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/09/03 04:47:59.0328 5064 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/09/03 04:47:59.0515 5064 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
2011/09/03 04:47:59.0640 5064 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/09/03 04:47:59.0734 5064 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk2\DR4
2011/09/03 04:47:59.0781 5064 Boot (0x1200) (74ce8e93ad772d4a2df82da71e5f13e6) \Device\Harddisk1\DR1\Partition0
2011/09/03 04:47:59.0812 5064 Boot (0x1200) (c2b85a1702438c5ed8b1c1229cf15530) \Device\Harddisk0\DR0\Partition0
2011/09/03 04:47:59.0859 5064 Boot (0x1200) (629c9cedaa3746476c9bab6cf0407c9e) \Device\Harddisk2\DR4\Partition0
2011/09/03 04:47:59.0890 5064 ================================================================================
2011/09/03 04:47:59.0890 5064 Scan finished
2011/09/03 04:47:59.0890 5064 ================================================================================
2011/09/03 04:47:59.0953 5288 Detected object count: 0
2011/09/03 04:47:59.0953 5288 Actual detected object count: 0
2011/09/03 04:48:08.0078 4644 Deinitialize success

Edited by chaossock, 11 March 2012 - 04:14 PM.


#6 shelf life

shelf life

  • Malware Response Team
  • 2,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:41 PM

Posted 11 March 2012 - 08:48 PM

ok, on to combofix. There is a guide to read first before using combofix. Read through the guide then apply the directions on your own machine. Post the log. I wont be back on line for 18 hrs or so.

Guide to using Combofix

How Can I Reduce My Risk to Malware?


#7 chaossock

chaossock
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 12 March 2012 - 12:09 AM

ComboFix log below. Initial impression is that computer is back to normal now. ComboFix is what miracles are made of.

If any other issues re-appear, I will post!

Thanks shelf

___________________________________

ComboFix 12-03-11.01 - BK Broiler 03/11/2012 21:38:03.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.526 [GMT -7:00]
Running from: c:\documents and settings\BK Broiler\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *Disabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\binlabel.exe
c:\documents and settings\BK Broiler\Application Data\Bitrix Security
c:\documents and settings\BK Broiler\Application Data\Bitrix Security\fsc.txt
c:\documents and settings\BK Broiler\Application Data\Bitrix Security\lpe.txt
c:\documents and settings\BK Broiler\Application Data\Bitrix Security\mxd1.txt
c:\documents and settings\BK Broiler\Application Data\Bitrix Security\sfovd
c:\documents and settings\BK Broiler\Application Data\Bitrix Security\upxzkjj_shrd
c:\documents and settings\BK Broiler\Application Data\ircom.exe
c:\documents and settings\BK Broiler\Application Data\Mozilla\Firefox\Profiles\q59pjwsp.default\extensions\{29e54f4d-e19a-4d96-8722-85e884e2fb87}
c:\documents and settings\BK Broiler\Application Data\Mozilla\Firefox\Profiles\q59pjwsp.default\extensions\{29e54f4d-e19a-4d96-8722-85e884e2fb87}\chrome.manifest
c:\documents and settings\BK Broiler\Application Data\Mozilla\Firefox\Profiles\q59pjwsp.default\extensions\{29e54f4d-e19a-4d96-8722-85e884e2fb87}\chrome\xulcache.jar
c:\documents and settings\BK Broiler\Application Data\Mozilla\Firefox\Profiles\q59pjwsp.default\extensions\{29e54f4d-e19a-4d96-8722-85e884e2fb87}\defaults\preferences\xulcache.js
c:\documents and settings\BK Broiler\Application Data\Mozilla\Firefox\Profiles\q59pjwsp.default\extensions\{29e54f4d-e19a-4d96-8722-85e884e2fb87}\install.rdf
c:\documents and settings\BK Broiler\Application Data\Mozilla\Firefox\Profiles\q59pjwsp.default\extensions\{569adbb2-cae3-4c1a-8dc6-3f796b0a6b05}
c:\documents and settings\BK Broiler\Application Data\Mozilla\Firefox\Profiles\q59pjwsp.default\extensions\{569adbb2-cae3-4c1a-8dc6-3f796b0a6b05}\chrome.manifest
c:\documents and settings\BK Broiler\Application Data\Mozilla\Firefox\Profiles\q59pjwsp.default\extensions\{569adbb2-cae3-4c1a-8dc6-3f796b0a6b05}\chrome\xulcache.jar
c:\documents and settings\BK Broiler\Application Data\Mozilla\Firefox\Profiles\q59pjwsp.default\extensions\{569adbb2-cae3-4c1a-8dc6-3f796b0a6b05}\defaults\preferences\xulcache.js
c:\documents and settings\BK Broiler\Application Data\Mozilla\Firefox\Profiles\q59pjwsp.default\extensions\{569adbb2-cae3-4c1a-8dc6-3f796b0a6b05}\install.rdf
c:\documents and settings\BK Broiler\Application Data\Mozilla\Firefox\Profiles\q59pjwsp.default\extensions\{a13fa500-3d11-47a4-ad74-ac8ba4ed3c40}
c:\documents and settings\BK Broiler\Application Data\Mozilla\Firefox\Profiles\q59pjwsp.default\extensions\{a13fa500-3d11-47a4-ad74-ac8ba4ed3c40}\chrome.manifest
c:\documents and settings\BK Broiler\Application Data\Mozilla\Firefox\Profiles\q59pjwsp.default\extensions\{a13fa500-3d11-47a4-ad74-ac8ba4ed3c40}\chrome\xulcache.jar
c:\documents and settings\BK Broiler\Application Data\Mozilla\Firefox\Profiles\q59pjwsp.default\extensions\{a13fa500-3d11-47a4-ad74-ac8ba4ed3c40}\defaults\preferences\xulcache.js
c:\documents and settings\BK Broiler\Application Data\Mozilla\Firefox\Profiles\q59pjwsp.default\extensions\{a13fa500-3d11-47a4-ad74-ac8ba4ed3c40}\install.rdf
c:\documents and settings\BK Broiler\My Documents\~WRL0257.tmp
c:\documents and settings\BK Broiler\My Documents\~WRL1051.tmp
c:\documents and settings\BK Broiler\uyqfativhr.tmp
c:\documents and settings\BK Broiler\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\windows\iun6002.exe
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\SET106.tmp
c:\windows\system32\SET117.tmp
c:\windows\system32\SET119.tmp
c:\windows\system32\SET128.tmp
c:\windows\system32\SET152.tmp
c:\windows\system32\SET154.tmp
c:\windows\system32\SET160.tmp
c:\windows\system32\SETEF.tmp
c:\windows\system32\SETFA.tmp
c:\windows\system32\SETFF.tmp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NETMAN32
-------\Legacy_NPF
.
.
((((((((((((((((((((((((( Files Created from 2012-02-12 to 2012-03-12 )))))))))))))))))))))))))))))))
.
.
2012-03-11 20:50 . 2012-03-11 20:50 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-11 07:16 . 2012-03-11 07:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2012-03-10 17:11 . 2012-03-10 17:11 -------- d-----w- c:\windows\system32\wbem\Repository
2012-03-08 21:57 . 2012-03-08 21:57 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2012-03-05 00:24 . 2012-03-05 00:24 -------- d-----w- c:\documents and settings\BK Broiler\Application Data\Aladdin Systems
2012-03-04 23:38 . 2012-03-04 23:38 -------- d-----w- c:\program files\Microsoft.NET
2012-02-15 09:09 . 2012-02-17 01:00 -------- d-----w- c:\program files\Common Files\Native Instruments
2012-02-15 09:09 . 2012-02-17 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Native Instruments
2012-02-15 05:44 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-15 05:44 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-12 16:53 . 2011-05-01 19:22 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-19 08:53 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2011-12-19 08:53 . 2004-08-04 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-12-19 08:53 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-12-16 13:16 . 2004-08-04 12:00 369664 ----a-w- c:\windows\system32\html.iec
2012-02-18 02:13 . 2011-04-27 03:07 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\BESECU~1\SYMANT~2\VPTray.exe" [2005-04-17 85184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"nwiz"="nwiz.exe" [2007-12-05 1626112]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2006-01-07 172032]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"MDDiskProtect.exe"="c:\program files\Mediafour\MacDrive\MDDiskProtect.exe" [2005-07-07 94208]
"MediafourGettingStartedWithMacDrive6"="c:\program files\Mediafour\MacDrive\MacDrive.exe" [2005-07-07 86016]
"Mediafour Mac Volume Notifications"="c:\program files\Common Files\Mediafour\MACVNTFY.EXE" [2005-07-07 61440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 577536]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-20 421736]
.
c:\documents and settings\BK Broiler\Start Menu\Programs\Startup\
My_AutoWarkey_Script.lnk - c:\games\Warcraft III\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe [N/A]
PowerReg Scheduler.exe [2006-9-9 225280]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless Networking Utility.lnk - c:\program files\Belkin\F6D4050\v1\BelkinWCUI.exe [2009-7-29 1077248]
HP Digital Imaging Monitor.lnk - c:\program files\HP\digital imaging\bin\hpqtra08.exe [2004-5-28 241664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MacDrive-iTunes compatibility]
2005-07-07 00:41 61440 ----a-r- c:\program files\Common Files\Mediafour\MacDriveiTunesPatch.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\prwntdrv]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Installers\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
.
R0 MDPMGRNT;MDPMGRNT;c:\windows\system32\drivers\MDPMGRNT.SYS [7/6/2005 5:42 PM 44404]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [4/28/2004 12:17 PM 77312]
R1 MDFSYSNT;MDFSYSNT;c:\windows\system32\drivers\MDFSYSNT.SYS [7/6/2005 5:42 PM 277352]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]
R3 EraserUtilDrv11122;EraserUtilDrv11122;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11122.sys [2/17/2012 9:20 PM 106104]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [3/22/2005 7:17 PM 450400]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5b.sys [9/2/2003 8:22 AM 44032]
S3 jbridgep;jbridgep;\??\c:\docume~1\BKBROI~1\LOCALS~1\Temp\jbridgep.sys --> c:\docume~1\BKBROI~1\LOCALS~1\Temp\jbridgep.sys [?]
S3 SavRoam;SAVRoam;c:\program files\BeSecure 2005\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2/3/2011 12:43 AM 96488]
S4 Vax347b;Vax347b;c:\windows\system32\drivers\Vax347b.sys [3/20/2006 9:54 PM 159616]
S4 Vax347s;Vax347s;c:\windows\system32\drivers\Vax347s.sys [3/20/2006 9:54 PM 5248]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-09 04:57]
.
2005-10-01 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-10-01 00:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\BK Broiler\Application Data\Mozilla\Firefox\Profiles\q59pjwsp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=
FF - prefs.js: network.proxy.type - 2
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-Mediafour Mac Volume Icons - (no file)
HKCU-Run-binlabel - c:\documents and settings\All Users\binlabel.exe
HKCU-Run-ircom - c:\documents and settings\BK Broiler\Application Data\ircom.exe
HKLM-Run-dplaysvr - c:\documents and settings\BK Broiler\Application Data\dplaysvr.exe
HKLM-Run-binlabel - c:\documents and settings\All Users\binlabel.exe
HKLM-Run-ircom - c:\documents and settings\BK Broiler\Application Data\ircom.exe
HKU-Default-Run-systemrxxt.exe - c:\systemrxxt.exe\systemrxxt.exe
HKU-Default-Run-dplaysvr - c:\documents and settings\BK Broiler\Application Data\dplaysvr.exe
HKU-Default-Run-binlabel - c:\documents and settings\All Users\binlabel.exe
HKU-Default-Run-ircom - c:\documents and settings\BK Broiler\Application Data\ircom.exe
Notify-AtiExtEvent - (no file)
AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-05_Sloan - c:\program files\Samsung\USB Drivers\05_Sloan\Uninstall.exe
AddRemove-06_Spencer - c:\program files\Samsung\USB Drivers\06_Spencer\Uninstall.exe
AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-08_EMPChipset - c:\program files\Samsung\USB Drivers\08_EMPChipset\Uninstall.exe
AddRemove-09_Hsp - c:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-12_Symbian_USB_Download_Driver - c:\program files\Samsung\USB Drivers\12_Symbian_USB_Download_Driver\Uninstall.exe
AddRemove-15_Symbian_Samsung_PC_DLC_Driver - c:\program files\Samsung\USB Drivers\15_Symbian_Samsung_PC_DLC_Driver\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-17_EMP_Chipset2 - c:\program files\Samsung\USB Drivers\17_EMP_Chipset2\Uninstall.exe
AddRemove-18_Zinia_Serial_Driver - c:\program files\Samsung\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe
AddRemove-19_VIA_driver - c:\program files\Samsung\USB Drivers\19_VIA_driver\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\Samsung\USB Drivers\20_NXP_Driver\Uninstall.exe
AddRemove-21_Searsburg - c:\program files\Samsung\USB Drivers\21_Searsburg\Uninstall.exe
AddRemove-22_WiBro_WiMAX - c:\program files\Samsung\USB Drivers\22_WiBro_WiMAX\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-11 21:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\docume~1\BKBROI~1\LOCALS~1\Temp\TMP3.tmp 327744 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1167283570-3516745673-1861756515-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(576)
c:\program files\Common Files\Mediafour\MacDriveiTunesPatch.dll
.
- - - - - - - > 'explorer.exe'(1412)
c:\program files\Common Files\Mediafour\MACVICON.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\BeSecure 2005\Symantec Client Firewall\ISSVC.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\BeSecure 2005\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Alcohol 120\Alcohol 120\StarWind\StarWindService.exe
c:\program files\BeSecure 2005\Symantec AntiVirus\Rtvscan.exe
c:\program files\BeSecure 2005\Symantec Client Firewall\SymSPort.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\SOUNDMAN.EXE
c:\program files\BeSecure 2005\Symantec AntiVirus\DoScan.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-03-11 22:00:36 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-12 05:00
.
Pre-Run: 7,096,016,896 bytes free
Post-Run: 8,281,829,376 bytes free
.
- - End Of File - - B0B433A7CF3EFD297A84961EF8F3AC7E

#8 shelf life

shelf life

  • Malware Response Team
  • 2,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:41 PM

Posted 12 March 2012 - 05:57 PM

ok. Good. We will use combofix to remove a file if its actually there:

Click Start , then Run
Type notepad .exe in the Run Box.

Now copy/paste the entire content of the codebox below into the Notepad window:

Driver::
jbridgep

File::
c:\docume~1\bkbroi~1\locals~1\temp\jbridgep.sys
c:\docume~1\BKBROI~1\LOCALS~1\Temp\TMP3.tmp

Name the Notepad file CFScript.txt and save it to your desktop. Disable your running AV so it dosnt interfere with combofix.
Now locate the file you just saved(CFScript.txt) and the combofix icon, both on your desktop
using your mouse drag the CFScript.txt right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log.

After combofix is all done:
Next:
click Start>Run, then copy/paste this cmd into the run box and click ok or enter.

cmd /c notepad %windir%\system32\drivers\etc\hosts
A text file should popup. you can copy/paste the contents of your host file in your reply along with the new combofix log.

How Can I Reduce My Risk to Malware?


#9 chaossock

chaossock
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 14 March 2012 - 12:58 AM

hey shelf,

I ran combo fix with the script, but i accidentally lost the log file after restart. I'm going to run it again in the exact same way and I'll make sure to copy the whole log 1st thing, then post it. I hope i haven't ruined anything.

Anyway, here is the hosts command results

127.0.0.1 localhost


Will re-run combo fix and post results shortly

#10 chaossock

chaossock
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 14 March 2012 - 01:28 AM

Ugh I feel stupid.. I forgot that combofix autosaves a log. Anyway, running it again overwrote the fist log that I said I had lost. Anyway, it's pasted just below.

Also, I ran the host command again, and the results is the same.

Thanks again shelf




ComboFix 12-03-11.01 - BK Broiler 03/13/2012 23:12:54.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.248 [GMT -7:00]
Running from: c:\documents and settings\BK Broiler\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\BK Broiler\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *Disabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}
.
FILE ::
"c:\docume~1\bkbroi~1\locals~1\temp\jbridgep.sys"
"c:\docume~1\BKBROI~1\LOCALS~1\Temp\TMP3.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
K:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2012-02-14 to 2012-03-14 )))))))))))))))))))))))))))))))
.
.
2012-03-12 05:31 . 2012-03-12 05:33 2829 ----a-w- c:\windows\War3Unin.pif
2012-03-12 05:31 . 2012-03-12 05:33 139264 ----a-w- c:\windows\War3Unin.exe
2012-03-11 20:50 . 2012-03-11 20:50 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-11 07:16 . 2012-03-11 07:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2012-03-10 17:11 . 2012-03-10 17:11 -------- d-----w- c:\windows\system32\wbem\Repository
2012-03-08 21:57 . 2012-03-08 21:57 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2012-03-05 00:24 . 2012-03-05 00:24 -------- d-----w- c:\documents and settings\BK Broiler\Application Data\Aladdin Systems
2012-03-04 23:38 . 2012-03-04 23:38 -------- d-----w- c:\program files\Microsoft.NET
2012-02-15 09:09 . 2012-02-17 01:00 -------- d-----w- c:\program files\Common Files\Native Instruments
2012-02-15 09:09 . 2012-02-17 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Native Instruments
2012-02-15 05:44 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-15 05:44 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-12 16:53 . 2011-05-01 19:22 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-19 08:53 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2011-12-19 08:53 . 2004-08-04 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-12-19 08:53 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-12-16 13:16 . 2004-08-04 12:00 369664 ----a-w- c:\windows\system32\html.iec
2012-02-18 02:13 . 2011-04-27 03:07 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-12_04.55.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-06 01:34 . 2012-03-12 05:37 97298 c:\windows\War3Unin.dat
+ 2012-03-14 06:06 . 2012-03-14 06:06 16384 c:\windows\Temp\Perflib_Perfdata_508.dat
+ 2010-01-05 02:20 . 2012-03-14 06:09 25214 c:\windows\Installer\{3829960D-73DA-479B-BBE1-BF0FBC35999B}\PeaceShieldIcon.exe
- 2010-01-05 02:20 . 2010-01-05 02:20 25214 c:\windows\Installer\{3829960D-73DA-479B-BBE1-BF0FBC35999B}\PeaceShieldIcon.exe
+ 2010-01-05 02:20 . 2012-03-14 06:09 34304 c:\windows\Installer\{3829960D-73DA-479B-BBE1-BF0FBC35999B}\Icon3829960D.exe
- 2010-01-05 02:20 . 2010-01-05 02:20 34304 c:\windows\Installer\{3829960D-73DA-479B-BBE1-BF0FBC35999B}\Icon3829960D.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\BESECU~1\SYMANT~2\VPTray.exe" [2005-04-17 85184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"nwiz"="nwiz.exe" [2007-12-05 1626112]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2006-01-07 172032]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"MDDiskProtect.exe"="c:\program files\Mediafour\MacDrive\MDDiskProtect.exe" [2005-07-07 94208]
"MediafourGettingStartedWithMacDrive6"="c:\program files\Mediafour\MacDrive\MacDrive.exe" [2005-07-07 86016]
"Mediafour Mac Volume Notifications"="c:\program files\Common Files\Mediafour\MACVNTFY.EXE" [2005-07-07 61440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 577536]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-20 421736]
.
c:\documents and settings\BK Broiler\Start Menu\Programs\Startup\
My_AutoWarkey_Script.lnk - c:\games\Warcraft III\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe [2009-9-25 245248]
PowerReg Scheduler.exe [2006-9-9 225280]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless Networking Utility.lnk - c:\program files\Belkin\F6D4050\v1\BelkinWCUI.exe [2009-7-29 1077248]
HP Digital Imaging Monitor.lnk - c:\program files\HP\digital imaging\bin\hpqtra08.exe [2004-5-28 241664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MacDrive-iTunes compatibility]
2005-07-07 00:41 61440 ----a-r- c:\program files\Common Files\Mediafour\MacDriveiTunesPatch.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\prwntdrv]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Installers\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
.
R0 MDPMGRNT;MDPMGRNT;c:\windows\system32\drivers\MDPMGRNT.SYS [7/6/2005 5:42 PM 44404]
R0 Vax347b;Vax347b;c:\windows\system32\drivers\Vax347b.sys [3/20/2006 9:54 PM 159616]
R0 Vax347s;Vax347s;c:\windows\system32\drivers\Vax347s.sys [3/20/2006 9:54 PM 5248]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [4/28/2004 12:17 PM 77312]
R1 MDFSYSNT;MDFSYSNT;c:\windows\system32\drivers\MDFSYSNT.SYS [7/6/2005 5:42 PM 277352]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [3/22/2005 7:17 PM 450400]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5b.sys [9/2/2003 8:22 AM 44032]
S3 SavRoam;SAVRoam;c:\program files\BeSecure 2005\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2/3/2011 12:43 AM 96488]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - EraserUtilDrv11122
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-09 04:57]
.
2005-10-01 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-10-01 00:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\BK Broiler\Application Data\Mozilla\Firefox\Profiles\q59pjwsp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=
FF - prefs.js: network.proxy.type - 2
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-Mediafour Mac Volume Icons - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-13 23:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1167283570-3516745673-1861756515-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(768)
c:\program files\Common Files\Mediafour\MacDriveiTunesPatch.dll
.
Completion time: 2012-03-13 23:25:09
ComboFix-quarantined-files.txt 2012-03-14 06:25
ComboFix2.txt 2012-03-14 05:48
ComboFix3.txt 2012-03-12 05:00
.
Pre-Run: 7,342,878,720 bytes free
Post-Run: 7,338,098,688 bytes free
.
- - End Of File - - 30A942AE6F887A8241C30006864AB816

#11 shelf life

shelf life

  • Malware Response Team
  • 2,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:41 PM

Posted 14 March 2012 - 06:33 PM

ok Good. To remove combofix you can do this:
Start>run and type in:
combofix /uninstall
click ok or enter
Note the space after the x and before the /

You can delete the tdsskiller icon from your desktop.
Last, if all is good, some tips to help you remain malware free.



10 Tips for Prevention and Avoidance of Malware:
There is no reason why your computer can not stay malware free.


No software can think for you. Help yourself. In no special order:

1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the Windows auto-update feature. Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader, iTunes etc. More and more third party applications are being targeted. Use the auto-update features available in most software. Not sure if you are using the latest version of software? Check their version status and get the updates here.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks.

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.

8) Install and understand the *limitations* of a software firewall.

9) Your browser risks: The why and how to secure your browser for safer surfing.

10) Warez, cracks, keygens etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks you will encounter malware. Can you really trust the source of the file?


More info/tips with pictures, links below

Happy Safe Surfing.

How Can I Reduce My Risk to Malware?


#12 chaossock

chaossock
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 14 March 2012 - 07:48 PM

Awesome, many thanks to you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users