Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help!


  • Please log in to reply
18 replies to this topic

#1 BassDude

BassDude

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 10 September 2006 - 06:10 PM

Hey gang, I'm new here and I was hoping I could get someone to take a look at this and help me figure out what I need to get this PC cleaned.

I'm getting pop ups all over the place, and when I try and run SpyBot Search and Destroy it gives me an error message before I can delete anything. It tells me it is stopping a program called "Network Monitor" and then it runs through all of the searches, but when you go to fix the selected problems, error message.

I ran AdAware four times and it still keeps popping up with items, mostly the same few, and I did a virus scan which yeilded nothing. I have already run the removal tools for VirusBlast.

Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:38:28 PM, on 9/10/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\qdchxh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\System32\NvVid.exe
C:\WINDOWS\Duce6.exe
C:\WINDOWS\System32\dxvwnzxn.exe
C:\WINDOWS\thiselt.exe
C:\windows\system32\oqdsrego.exe
C:\Program Files\Common Files\{3C21F21B-086E-1033-1127-030502080001}\Update.exe
C:\PROGRA~1\COMMON~1\RACLE~1\cmd.exe
C:\CFusion\cfam\program\ccmgr.exe
C:\DOCUME~1\Jeffrey\LOCALS~1\Temp\stdrun182560.exe
C:\CFusion\Bin\cfserver.exe
C:\CFusion\Bin\cfexec.exe
C:\CFusion\Bin\cfrdsservice.exe
C:\CFusion\cfam\Program\wsm.exe
C:\CFusion\cfam\Program\dfp.exe
C:\CFusion\cfam\Program\wsprobe.exe
C:\CFusion\JRun\bin\JRun.exe
C:\CFusion\jrun\bin\jrun.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\CFusion\jre\bin\ntConsoleJava.exe
C:\WINDOWS\System32\svchost.exe
C:\CFusion\jre\bin\ntConsoleJava.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\zkmtftm.exe
C:\CFusion\cfam\bin\CANamingAdapter.exe
C:\WINDOWS\System32\lwinrpex.exe
C:\WINDOWS\sys101008857627.exe
C:\WINDOWS\System32\hmtlx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\hmtlx.exe
C:\WINDOWS\System32\hmtlx.exe
C:\Documents and Settings\Jeffrey\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - {3935833A-6CF2-6450-A4DF-6943B111A699} - C:\WINDOWS\System32\hcgvwkf.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\hmtlx.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,riapime.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {241EB532-1793-7537-899B-516E85538DAF} - C:\WINDOWS\System32\dsrs.dll (file missing)
O2 - BHO: (no name) - {3935833A-6CF2-6450-A4DF-6943B111A699} - C:\WINDOWS\System32\hcgvwkf.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\System32\nsf9.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [removenot] c:\windows\system32\removenot.exe
O4 - HKLM\..\Run: [NvVideoCenter] C:\WINDOWS\System32\NvVid.exe
O4 - HKLM\..\Run: [raq2e115] RUNDLL32.EXE w000df25.dll,n 0042e11100000005000df25
O4 - HKLM\..\Run: [sys101008857627] C:\WINDOWS\sys101008857627.exe
O4 - HKLM\..\Run: [zkmtftmA] C:\WINDOWS\zkmtftmA.exe
O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [w0021c19.dll] RUNDLL32.EXE w0021c19.dll,I2 0042e11100021c19
O4 - HKLM\..\Run: [Explorer 2238] C:\WINDOWS\System32\dxvwnzxn.exe
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\lwinrpex.exe ELT001
O4 - HKLM\..\Run: [{1F-F2-21-1B-ZN}] C:\windows\system32\oqdsrego.exe ELT001
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [865712cf.exe] C:\Documents and Settings\Jeffrey\Local Settings\Application Data\865712cf.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\System32\crunner\cproc.exe
O4 - HKCU\..\Run: [Hleu] "C:\PROGRA~1\COMMON~1\RACLE~1\cmd.exe" -vt yazr
O4 - HKCU\..\Run: [Itn] C:\Program Files\W?nSxS\??xplore.exe
O4 - HKCU\..\Run: [Winsvr] C:\DOCUME~1\Jeffrey\LOCALS~1\Temp\stdrun185632.exe
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\Jeffrey\LOCALS~1\Temp\stdrun182560.exe
O4 - HKCU\..\Run: [PSCloner] "C:\Program Files\PSCloner\PSCloner.exe"
O4 - HKCU\..\Run: [murm] C:\PROGRA~1\COMMON~1\murm\murmm.exe
O4 - HKCU\..\Run: [CMFibula] "C:\Program Files\CMFibula\CMFibula.exe"
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\lwinrpex.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: jkoie.exe
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157864533325
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157864525387
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - (no file)
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} - C:\WINDOWS\System32\dxvwnzxn.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ColdFusion Monitoring Service (ClusterCATS Service) - Unknown owner - C:\CFusion\cfam\program\ccmgr.exe
O23 - Service: Cold Fusion Application Server - Macromedia Inc. - C:\CFusion\Bin\cfserver.exe
O23 - Service: ColdFusion Executive (Cold Fusion Executive) - Macromedia Inc. - C:\CFusion\Bin\cfexec.exe
O23 - Service: ColdFusion RDS (Cold Fusion RDS) - Macromedia Inc. - C:\CFusion\Bin\cfrdsservice.exe
O23 - Service: ColdFusion Graphing Server - Unknown owner - C:\CFusion\JRun\bin\JRun.exe
O23 - Service: ColdFusion Management Repository Server (ColdFusion Management Repository) - Unknown owner - C:\CFusion\jrun\bin\jrun.exe" -jrundir "C:\CFusion\jrun" -nt "ColdFusion Management Repository" "cfam (file missing)
O23 - Service: ColdFusion Management Service - Unknown owner - C:\CFusion\cfam\bin\CANamingAdapter.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\zkmtftm.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


Hope you can help!
Thanks

BC AdBot (Login to Remove)

 


#2 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:06:29 AM

Posted 11 September 2006 - 10:37 AM

Hi BassDude and welcome to Bleeping Computer :thumbsup:

You got a massive infection collection there :flowers:

One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files.

If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech.

I suggest that you read this article too.

Before we can start the cleaning I need you to do something important.

Please download and install Windows XP Service Pack 1A -> Windows XP SP1a
NOTE! Do NOT install Service Pack 2 yet. We'll have to get you cleaned first

Please create a new folder named HjT to your desktop and move HijackThis.exe into that folder.

When you're ready, please post a fresh HijackThis log to here :huh:

Edited by Mr_JAk3, 11 September 2006 - 10:38 AM.

UNITE & ASAP member since 2006
Posted Image
Posted Image

#3 BassDude

BassDude
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 11 September 2006 - 09:17 PM

:thumbsup: It says that my Windows is not Genuine and I can't get the update ... even though this is the OS I bought with this PC

#4 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:06:29 AM

Posted 12 September 2006 - 05:55 AM

Hi again, if your OS would be legal, you should be able to do the update.
Now it seems that you have a illegal copy of Windows.... :thumbsup:

You can try validating again from here

The reason why I would have wanted you to update your system before the cleaning is that without the updates, the possibility of re-infection is highly possible.
So there is no point in cleaning because you propably get infected again.
Even with a proper firewall and antivirus you get infected since the system is vulnerable...
As long as you can't stay clean, there is no point in cleaning....

If you think that your have bought the legal version, I suggest that you check the following link ->
Microsoft.com

If you're using a illegal version, I strongly suggest that you byu the legal one.
If you don't want to spend your money, there are free alternatives available too. Eg many Linux based operation systems are free.

Please let me know your thoughts about this.

Edited by Mr_JAk3, 12 September 2006 - 05:56 AM.

UNITE & ASAP member since 2006
Posted Image
Posted Image

#5 BassDude

BassDude
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 12 September 2006 - 02:32 PM

I spoke to the Best Buy I bought my PC from and they refuse to pay for the validation, so it looks like I am going to have to fork out the 150 bucks to do it myself and take the to small claims court. Nice. I am pretty ticked about this deal. Not the first problem I have had with them about this thing.

Is there any way I can get you to help me fix it so that until I actually get the validation I can use the computer offline?

#6 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:06:29 AM

Posted 13 September 2006 - 12:33 PM

Is there any way I can get you to help me fix it so that until I actually get the validation I can use the computer offline?

Yes, you promise that you'll get rid of your illegal windows as soon as possible ;)

Ok, so we'll begin the cleaning process...

At first, create a new folder named HijackThis to your desktop. The move HijackThis.exe into that folder.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
UNITE & ASAP member since 2006
Posted Image
Posted Image

#7 BassDude

BassDude
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 13 September 2006 - 06:18 PM

Thank you so much, and YES I PROMISE!! :-D

Here's the Combo fix log


ComboFix 06.09.14 - Running from: C:\Documents and Settings\Jeffrey\My Documents

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


O4 - HKCU\...\Run C:\WINDOWS\system32\qdchxh.exe
O4 - HKLM\...\Run C:\WINDOWS\System32\qdchxh.exe
F2 -REG:system.ini: Shell C:\WINDOWS\System32\hmtlx.exe
F2 -REG:system.ini: UserInit C:\WINDOWS\system32\riapime.exe


* * * PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\system32\qdchxh.exe
C:\WINDOWS\system32\wkchopp.dll
C:\WINDOWS\system32\riapime.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\jkoie.exe
C:\WINDOWS\pyjoo.dll
C:\WINDOWS\system32\wbrlj.dat
C:\WINDOWS\system32\hmtlx.exe


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-09-10 20:32 127488 jkoie.exe.qoo
06-09-10 21:42 127488 wbrlj.dat.qoo
06-09-09 01:07 127488 qdchxh.exe.qoo
06-09-10 21:42 51712 wkchopp.dll.qoo
06-09-11 22:32 28672 hmtlx.exe.qoo
06-09-11 22:32 23552 riapime.exe.qoo
06-09-13 18:04 361 pyjoo.dll.qoo
06-09-07 23:48 53 vccwwl.dat.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Jeffrey\Application Data\Sskcwrd.dll
C:\Documents and Settings\Jeffrey\Application Data\Sskdmns.dll
C:\WINDOWS\system32\bk.exe


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\Duce6.exe
C:\WINDOWS\teller2.chk
C:\dfndrff_e.exe
C:\drsmartload.exe
C:\deskbar3.exe
C:\kybrdff_18.exe
C:\WINDOWS\system32\aaa00000.sys
C:\WINDOWS\system32\rpcc.exe
C:\WINDOWS\system32\wtssvtr.exe
C:\WINDOWS\csvhost.exe
C:\WINDOWS\justin.exe
C:\WINDOWS\whCC-GIANT.exe
C:\WINDOWS\Eim03.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Common Files\misc002
C:\Program Files\batty2
C:\Program Files\cmfibula
C:\Program Files\Cowabanga
C:\Program Files\Deskbar
C:\Program Files\Inetget2
C:\Program Files\PSLister
C:\WINDOWS\system32\components
C:\WINDOWS\system32\crunner
C:\Program Files\Common Files\{3C21F21B-086E-1033-1127-030502080001}
C:\Documents and Settings\All Users\Documents\Settings

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Jeffrey\Application Data\PPATCH~1
C:\QooBox\Purity\Documents and Settings\Jeffrey\My Documents\ICROSO~1.NET
C:\QooBox\Purity\Program Files\WNSXS~1
C:\QooBox\Purity\Program Files\Common Files\RACLE~1
C:\QooBox\Purity\Program Files\Common Files\RACLE~1\cmd.exe
C:\QooBox\Purity\Program Files\Common Files\RACLE~1\RACLE~1
C:\QooBox\Purity\Program Files\WNSXS~1\??xplore.exe


((((((((((((((((((((((((((((((( Files Created from 2006-08-13 to 2006-09-13 ))))))))))))))))))))))))))))))))))


2006-09-12 14:38 53,120 --a------ C:\WINDOWS\optimize.exe
2006-09-12 14:38 267,228 --a------ C:\WINDOWS\popupwithcast.exe
2006-09-11 18:51 7,168 --a------ C:\WINDOWS\comdlj32.dll
2006-09-11 18:51 29,236 -rahs---- C:\WINDOWS\system32\spoolsvv.exe
2006-09-10 00:04 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll
2006-09-10 00:04 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2006-09-10 00:04 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2006-09-10 00:04 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-09-10 00:04 158,720 --------- C:\WINDOWS\system32\xpob2res.dll
2006-09-10 00:02 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2006-09-10 00:02 41,240 --a------ C:\WINDOWS\system32\wups.dll
2006-09-10 00:02 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2006-09-10 00:02 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2006-09-10 00:02 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2006-09-10 00:02 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2006-09-09 02:09 928 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-09-09 02:03 82,944 --a------ C:\WINDOWS\system32\dxvwnzxn.exe
2006-09-09 01:08 82,944 --a------ C:\WINDOWS\system32\dxvwelii.exe
2006-09-07 23:49 146 --a------ C:\WINDOWS\file.bat
2006-09-07 23:48 186,219 --a------ C:\WINDOWS\srvzzyzirv.exe
2006-09-07 23:48 163,840 --a------ C:\WINDOWS\sys101008857627.exe
2006-09-07 23:48 1,233 --a------ C:\WINDOWS\system32\raq2e115.sys
2006-08-17 23:05 12,288 --a------ C:\WINDOWS\system32\pwfc.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-09-13 18:10 -------- d-------- C:\Program Files\Common Files
2006-09-12 14:38 32135 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2006-09-12 14:38 -------- d-------- C:\Program Files\whInstall
2006-09-12 14:38 -------- d-------- C:\Program Files\popupwithcast
2006-09-11 22:35 -------- d-------- C:\Program Files\ewido anti-malware
2006-09-11 21:19 -------- d-------- C:\Program Files\BearShare
2006-09-10 18:36 -------- d-------- C:\Program Files\Common Files\Real
2006-09-10 00:02 -------- d--h----- C:\Program Files\WindowsUpdate
2006-09-09 23:30 -------- d-------- C:\Program Files\PSCloner
2006-09-09 20:59 -------- d-------- C:\Documents and Settings\Jeffrey\Application Data\AdobeUM
2006-09-09 02:01 -------- d-------- C:\Program Files\Internet Explorer
2006-09-09 02:01 -------- d-------- C:\Program Files\Common Files\murm
2006-09-09 01:08 -------- d---s---- C:\Documents and Settings\Jeffrey\Application Data\Microsoft
2006-09-06 02:38 -------- d-------- C:\Program Files\Enigma Software Group
2006-08-31 10:50 157184 ---hs---- C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
2006-08-25 18:46 774144 --a------ C:\Program Files\RngInterstitial.dll
2006-08-25 18:46 -------- d-------- C:\Program Files\Real
2006-08-18 13:07 -------- d-------- C:\Program Files\Zango(2)
2006-08-18 13:06 -------- d-------- C:\Program Files\TweakNow RegCleaner Std
2006-08-18 13:06 -------- d-------- C:\Program Files\Registry Mechanic
2006-08-18 11:07 -------- d-------- C:\Program Files\MyGlobalSearch
2006-08-01 21:52 -------- d-------- C:\Program Files\Messenger
2006-07-24 23:42 -------- d-------- C:\Documents and Settings\Jeffrey\Application Data\Alien Skin
2006-07-14 19:54 -------- d-------- C:\Documents and Settings\Jeffrey\Application Data\Adobe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ATI DeviceDetect"="C:\\Program Files\\ATI Multimedia\\main\\ATIDtct.EXE"
"VTTimer"="VTTimer.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"spoolsvv"="C:\\WINDOWS\\System32\\spoolsvv.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"DCOM Server 2238"="{2C1CD3D7-86AC-4068-93BC-A02304BB2238}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^jkoie.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\jkoie.exe"
"backup"="C:\\WINDOWS\\pss\\jkoie.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\jkoie.exe"
"item"="jkoie"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Jeffrey^Start Menu^Programs^Startup^TA_Start.lnk]
"path"="C:\\Documents and Settings\\Jeffrey\\Start Menu\\Programs\\Startup\\TA_Start.lnk"
"backup"="C:\\WINDOWS\\pss\\TA_Start.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\system32\\dwdsregt.exe ELT001"
"item"="TA_Start"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Jeffrey^Start Menu^Programs^Startup^Think-Adz.lnk]
"path"="C:\\Documents and Settings\\Jeffrey\\Start Menu\\Programs\\Startup\\Think-Adz.lnk"
"backup"="C:\\WINDOWS\\pss\\Think-Adz.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\system32\\lwinrpex.exe ELT001"
"item"="Think-Adz"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\865712cf.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="865712cf"
"hkey"="HKCU"
"command"="C:\\Documents and Settings\\Jeffrey\\Local Settings\\Application Data\\865712cf.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Acrobat Assistant 7.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Acrotray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CMFibula]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CMFibula"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\CMFibula\\CMFibula.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\cprocsvc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cproc"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\crunner\\cproc.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Explorer 2238]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dxvwnzxn"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\dxvwnzxn.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ExploreUpdSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lwinrpex"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\lwinrpex.exe ELT001"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\mrnby]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qdchxh"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\qdchxh.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\murm]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="murmm"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\COMMON~1\\murm\\murmm.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\pop06apelt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="thiselt"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\thiselt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PSCloner]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PSCloner"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\PSCloner\\PSCloner.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\qugyxf]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qdchxh"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\qdchxh.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\raq2e115]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w000df25.dll,n 0042e11100000005000df25"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\removenot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="removenot"
"hkey"="HKLM"
"command"="c:\\windows\\system32\\removenot.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\stonedrv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="stonedrv"
"hkey"="HKLM"
"command"="c:\\windows\\system32\\stonedrv.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\sys101008857627]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sys101008857627"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\sys101008857627.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TheMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Duce6"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\Duce6.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Ulead AutoDetector v2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="monitor"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Ulead Systems\\AutoDetector\\monitor.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\w0021c19.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w0021c19.dll,I2 0042e11100021c19"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\zkmtftmA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zkmtftmA"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\zkmtftmA.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\{1F-F2-21-1B-ZN}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="oqdsrego"
"hkey"="HKLM"
"command"="C:\\windows\\system32\\oqdsrego.exe ELT001"
"inimapping"="0"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\{FB87B5FF-064A-4E5B-B271-EA63A82964D2}_BLACK_Jeffrey.job

Completion time: Wed 09/13/2006 18:15:22.34
ComboFix.txt

#8 BassDude

BassDude
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 13 September 2006 - 06:20 PM

And the HJT Log


Logfile of HijackThis v1.99.1
Scan saved at 6:18:13 PM, on 9/13/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\CFusion\cfam\program\ccmgr.exe
C:\CFusion\Bin\cfserver.exe
C:\CFusion\cfam\Program\wsm.exe
C:\CFusion\cfam\Program\dfp.exe
C:\CFusion\cfam\Program\wsprobe.exe
C:\CFusion\Bin\cfexec.exe
C:\CFusion\Bin\cfrdsservice.exe
C:\CFusion\JRun\bin\JRun.exe
C:\CFusion\jrun\bin\jrun.exe
C:\CFusion\jre\bin\ntConsoleJava.exe
C:\CFusion\cfam\bin\CANamingAdapter.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\CFusion\jre\bin\ntConsoleJava.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\System32\spoolsvv.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jeffrey\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157864533325
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157864525387
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} - C:\WINDOWS\System32\dxvwnzxn.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ColdFusion Monitoring Service (ClusterCATS Service) - Unknown owner - C:\CFusion\cfam\program\ccmgr.exe
O23 - Service: Cold Fusion Application Server - Macromedia Inc. - C:\CFusion\Bin\cfserver.exe
O23 - Service: ColdFusion Executive (Cold Fusion Executive) - Macromedia Inc. - C:\CFusion\Bin\cfexec.exe
O23 - Service: ColdFusion RDS (Cold Fusion RDS) - Macromedia Inc. - C:\CFusion\Bin\cfrdsservice.exe
O23 - Service: ColdFusion Graphing Server - Unknown owner - C:\CFusion\JRun\bin\JRun.exe
O23 - Service: ColdFusion Management Repository Server (ColdFusion Management Repository) - Unknown owner - C:\CFusion\jrun\bin\jrun.exe" -jrundir "C:\CFusion\jrun" -nt "ColdFusion Management Repository" "cfam (file missing)
O23 - Service: ColdFusion Management Service - Unknown owner - C:\CFusion\cfam\bin\CANamingAdapter.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\zkmtftm.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

#9 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:06:29 AM

Posted 14 September 2006 - 12:51 PM

Hi again, I got some bad news. :thumbsup:

It seems that your computer is really badly infected and messed up.

Though the infections have been identified and can propably be killed, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. The best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.

Please let us know what you have decided to do in your next post.

Edited by Mr_JAk3, 14 September 2006 - 12:55 PM.

UNITE & ASAP member since 2006
Posted Image
Posted Image

#10 BassDude

BassDude
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 14 September 2006 - 04:52 PM

PLEASE let's try and fix it as much as we can ... so I can at least get some of the stuff I need off of it before I reformat it, and apparently it's so dicked up that I can't use my Nero program either ... UGH!

On a side note, do you think I could get off on justifiable homicide for killing the AHOLES that make this crap??

#11 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:06:29 AM

Posted 15 September 2006 - 01:30 AM

Hi again, I'll help you :thumbsup:

The instructions are quite long, please follow carefully!

You should print these instructions or save these to a text file. Follow these instructions carefully.

At first, remove your old version of Ewido via Control Panel -> Add/Remove programs.
We'll soon install you the latest version.

You seem to have some of Enigma Software Group's programs installed. This vendor has has a suspicious reputation and past.
Is suggest that you'll remove these programs. If you want to keep it, just skip the GREEN steps

You seem to have MyGlobalSearch installed. This program has has a suspicious reputation.
Is suggest that you'll remove this program. If you want to keep it, just skip the BLUE steps

You don't seem to have a firewall running, you must download one but do not install it yet!
These are good (free) firewalls:
- Kerio
- Sygate
- Outpost

You don't seem to have an antivirus running, you must download one but do not install it yet!
These are good (free) antiviruses:
- Antivir
- Avast
- AVG

Download and install ewido anti-spyware 4.0
  • Open ewido anti-spyware
  • Click on the Update icon at the top of the window
    • Click on the Start update button
    • Wait for the update to download and install
  • Click Guard
  • Click under "resident shield is"
  • Change it from active to inactive
  • Quit the program, well use this later.
Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

Open Control Panel -> Add/Remove programs -> Remove all the of the following programs if found:

Enigma Software, SpyHunter or similar
MyGlobalSearch

Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

drivers to unload:
Windows Overlay Components
pe386

registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^jkoie.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Jeffrey^Start Menu^Programs^Startup^TA_Start.lnk
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Jeffrey^Start Menu^Programs^Startup^Think-Adz.lnk
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\865712cf.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CMFibula
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\cprocsvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Explorer 2238
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ExploreUpdSched
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\mrnby
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\murm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\pop06apelt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PSCloner
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\qugyxf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\raq2e115
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\removenot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\stonedrv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\sys101008857627
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TheMonitor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\w0021c19.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\zkmtftmA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\{1F-F2-21-1B-ZN}

registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | spoolsvv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks | {AEB6717E-7E19-11d0-97EE-00C04FD91972}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | DCOM Server 2238

Files to delete:
C:\WINDOWS\optimize.exe
C:\WINDOWS\popupwithcast.exe
C:\WINDOWS\comdlj32.dll
C:\WINDOWS\system32\spoolsvv.exe
C:\WINDOWS\system32\winpfg32.sys
C:\WINDOWS\system32\dxvwnzxn.exe
C:\WINDOWS\system32\dxvwelii.exe
C:\WINDOWS\file.bat
C:\WINDOWS\srvzzyzirv.exe
C:\WINDOWS\sys101008857627.exe
C:\WINDOWS\system32\raq2e115.sys
C:\WINDOWS\system32\pwfc.dll
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\WINDOWS\pss\jkoie.exe
C:\Documents and Settings\Jeffrey\Start Menu\Programs\Startup\TA_Start.lnk
C:\WINDOWS\pss\TA_Start.lnkStartup
C:\WINDOWS\system32\dwdsregt.exe
C:\Documents and Settings\Jeffrey\Start Menu\Programs\Startup\Think-Adz.lnk
C:\WINDOWS\pss\Think-Adz.lnkStartup
C::\WINDOWS\system32\lwinrpex.exe
C:\Documents and Settings\Jeffrey\Local Settings\Application Data\865712cf.exe
C:\WINDOWS\System32\qdchxh.exe
C:\WINDOWS\thiselt.exe
c:\windows\system32\removenot.exe
c:\windows\system32\stonedrv.exe
C:\WINDOWS\sys101008857627.exe
C:\WINDOWS\zkmtftmA.exe
C:\windows\system32\oqdsrego.exe

Folders to Delete:
C:\Program Files\CMFibula
C:\Program Files\Zango(2)
C:\Program Files\whInstall
C:\Program Files\popupwithcast
C:\Program Files\PSCloner
C:\Program Files\Common Files\murm


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Restart your computer to the safe mode:
  • Restart your computer
  • Start tapping the F8 key when the computer restarts.
  • When the start menu opens, choose Safe mode
  • Press Enter. The computer then begins to start in Safe mode.
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} - C:\WINDOWS\System32\dxvwnzxn.exe

Go to the My Computer and delete the following folders (if present):
C:\Program Files\Enigma Software Group
C:\Program Files\MyGlobalSearch

Use the Windows search
  • Start
  • Search
  • All files and folders
  • More advanced options
Checkmark these options:
  • "Search system folders"
  • "Search hidden files and folders"
  • "Search subfolders"
  • Search for this and delete if found: w000df25.dll
  • Search for this and delete if found: w0021c19.dll
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

NOTE The following will clear all of your cookies, forms and history from FireFox. Feel free to skip this step.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
NOTE: The following will clear all of your cookies, forms and history from Opera. Feel free to skip this step.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now scan your computer with Ewido.
  • Open Ewido
  • Click on the Scanner icon at the top of the window
  • Click on the Settings tab then select Recommended Options and choose Quarantine
  • Click on the Scan tab
  • Select Complete System Scan. Ewido will now begin to scan your system
[*]When the scan has completed, if infections were found, press Apply all actions .
[*]Then click on the Save Scan Report button and save the scan to your Desktop where it can be easily found
[/list]Then, unplug your computer from the internet.
Restart your computer normally.
Install the firewall and antivirus that you downloaded earlier.
Re-plug your computer to the internet.

1. Download gmer from http://www.gmer.net
2. Save it somewhere safe & unzip it to desktop
3. Double click the gmer.exe to run it and select the rootkit tab, press scan
4. When it has finished, click on Copy, this will copy the text to your clipboard
5. Paste the log to here

When you're ready, post the following logs to here:
- Ewido's report
- a fresh HijackThis log
- contents of c:\avenger.txt
- gmer log

Edited by Mr_JAk3, 16 September 2006 - 01:21 AM.

UNITE & ASAP member since 2006
Posted Image
Posted Image

#12 BassDude

BassDude
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 15 September 2006 - 07:47 PM

Got to the step on running Avenger ... but it will not open at all on this PC ... do I need to stop a process or something? :thumbsup:

#13 BassDude

BassDude
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 15 September 2006 - 08:31 PM

can I manually remove all of this stuff via regedit?? I know how to use that ... just not exactly what files to look for, though the log you made helps, I DID look for each entry in there, but have yet to do anything. The only thing I wasn't sure about was how to remove the drivers at the start of the file ...


DID NOT touch anything yet though ... just waiting to see what you recommend

#14 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:06:29 AM

Posted 16 September 2006 - 01:20 AM

Ok, please do not try to do the cleaning manually. It is too risky.

Lets try this...

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

Then, download Blacklight trial from here:
http://www.f-secure.com/blacklight/
  • Hit I accept. It will take you to download page.
  • Download blbeta.exe and save it to the Desktop.
  • Once saved... double click blbeta.exe to install the program.
  • Click accept agreement and Click scan
    This app too may fire off a warning from antivirus. Let the driver load.
    Wait for it to finish.
  • If it displays any items...don't do anything with them yet. Just hit exit (close)
  • It will drop a log on Desktop that starts with fsbl....big number
Please post contents of log in your next reply.

Then , download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.


When you're ready, post the following logs to here:
-Gmer log
-Blacklight log
-HijackThis uninstall list

Edited by Mr_JAk3, 16 September 2006 - 02:07 AM.

UNITE & ASAP member since 2006
Posted Image
Posted Image

#15 BassDude

BassDude
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 16 September 2006 - 08:47 PM

Okay ... here's the Blacklight and HJT logs you need ... but, NEW problem, everytime the GMER program hits the Windows/system32 file to scan it shuts the pc down and restarts ... same thing if you even just open the file ... PLEASE tell me I'm not screwed. :thumbsup:


09/16/06 20:34:41 [Info]: BlackLight Engine 1.0.46 initialized
09/16/06 20:34:41 [Info]: OS: 5.1 build 2600 ()
09/16/06 20:34:41 [Note]: 7019 4
09/16/06 20:34:41 [Note]: 7005 0
09/16/06 20:34:47 [Note]: 7006 0
09/16/06 20:34:47 [Note]: 7011 448
09/16/06 20:34:47 [Note]: 7026 0
09/16/06 20:34:47 [Note]: 7026 0
09/16/06 20:34:47 [Note]: 7024 3
09/16/06 20:34:47 [Info]: Hidden process: C:\WINDOWS\System32\spoolsvv.exe
09/16/06 20:34:47 [Note]: FSRAW library version 1.7.1019
09/16/06 20:35:15 [Error]: 6019 0
09/16/06 20:35:15 [Error]: 6017 0
09/16/06 20:35:27 [Note]: 7007 0


Ad-Aware SE Personal
Adobe Acrobat 7.0.7 Professional
Adobe Premiere Pro
ATI - Software Uninstall Utility
ATI Control Panel
ATI Decoder
ATI Display Driver
ATI HYDRAVISION
ATI Multimedia Center 9.01
ATI Parental Control & Encoder
ATI Remote Wonder 2.3
BearShare
Bryce® 5
ColdFusion 5
ConnectionServices
DAO
ewido anti-spyware 4.0
Flash saver
Google Toolbar for Internet Explorer
Guitar Pro 5.0
HijackThis 1.99.1
HP PSC & Officejet 4.2 Corporate Edition
J2SE Runtime Environment 5.0 Update 7
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Fireworks 8
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
Macromedia FreeHand 10
Macromedia Shockwave Player
MacromediaDreamweaver MX
Microsoft Office XP Professional with FrontPage
MSN Music Assistant
Nero 6 Ultra Edition
Poser 6
QuickTime
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Ulead PhotoImpact 10 ESD
USB 2.0 Setup program
VIA Audio Driver Setup Program
VIA/S3G Display Driver
Windows Installer 3.0 (KB884016)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB842773
WinRAR archiver
XP Codec Pack




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users