Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Gain Dashbar And Ibm00013.exe


  • This topic is locked This topic is locked
9 replies to this topic

#1 wesco

wesco

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 14 June 2007 - 01:08 PM

I cleaned up my friend's PC using Spybot, Adaware, AVG Antivirus and Spyware both in Safe Mode and Normal Boot. However, whenever the PC is booted, still get Windows can not find ibm000013.exe and a program whose name is a bunch of squares. Also Software Station is missing a componenet. IE Explorer also starts. Whenever Spybot runs at boot-time, still cannot delete Gain Dashbar. PC runs much better before clean up but there are some lingering problems which I need help with.

The PC is still running XP SP1 and not currently connected to the Internet. Decided not to upgrade to SP2 until problems are fixed.

Here are the Hijack log and the start up log from Hijack. TIA!

Logfile of HijackThis v1.99.1
Scan saved at 1:45:58 PM, on 6/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00013.exe"
F3 - REG:win.ini: load=??? ??? ??? ? ? ?O???
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {CD0FD544-5710-E7D8-7CDF-35F3B6A22A9A} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [Testimonials] teqq32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [iesetupdll] progmen.exe
O4 - HKCU\..\Run: [prgsys0984] sbin.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D3A71A6-C742-42BA-B54A-F20099F5847A}: NameServer = 69.50.161.131,85.255.112.14
O17 - HKLM\System\CCS\Services\Tcpip\..\{7409069B-DFF7-4552-9F5C-262EFF438188}: NameServer = 69.50.161.131,85.255.112.14
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD9EF40A-42C1-4679-9C01-869ADD4BAF44}: NameServer = 69.50.161.131,85.255.112.14
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBAEEE1E-5C69-4057-80AC-8BCDE0C10C6F}: NameServer = 69.50.161.131,85.255.112.14
O20 - Winlogon Notify: tcpG4T - tcpG4T.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE

###############################################################

StartupList report, 6/14/2007, 1:46:32 PM
StartupList version: 1.52.2
Started from : C:\HijackThis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
hpoddt01.exe.lnk = ?
Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\System32\Userinit.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
CARPService = carpserv.exe
WCOLOREAL = "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
srmclean = C:\Cpqs\Scom\srmclean.exe
Smapp = C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
TkBellExe = C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
Microsoft Works Portfolio = C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
Microsoft Works Update Detection = C:\Program Files\Microsoft Works\WkDetect.exe
HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
tgcmd = C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
iexplore.exe = C:\Program Files\Internet Explorer\iexplore.exe
Testimonials = teqq32.exe
AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
SoftwareStation = "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
!AVG Anti-Spyware = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

Compaq_RBA = C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe -z

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

(Default) =

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MoneyAgent = "c:\Program Files\Microsoft Money\System\Money Express.exe"
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
iesetupdll = progmen.exe
prgsys0984 = sbin.exe
updateMgr = C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[Compaq]
SetRefresh = C:\Program Files\Compaq\SetRefresh\SetRefresh.exe

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=??? ??? ??? ? ? ?O???
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00013.exe"
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - (no file) - {CD0FD544-5710-E7D8-7CDF-35F3B6A22A9A}

--------------------------------------------------

Enumerating Task Scheduler jobs:

FRU Task #Hewlett-Packard#hp psc 2170 series#1098502323.job
Registration reminder 1.job
Registration reminder 2.job
Registration reminder 3.job

--------------------------------------------------

Enumerating Download Program Files:

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\System32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

[YahooYMailTo Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ymmapi.dll
CODEBASE = http://download.yahoo.com/dl/installs/ymail/ymmapi.dll

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash8b.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 9,277 bytes
Report generated in 0.047 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 14 June 2007 - 04:06 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum wesco :thumbsup:

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="explorer.exe"
"Userinit"="C:\WINDOWS\system32\userinit.exe,"

*******************************

Download and run Fixwareout from the link below:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
After the reboot post the contents of the logfile C:\fixwareout\report.txt in your next reply.

*******************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 wesco

wesco
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 14 June 2007 - 11:02 PM

Thank you so much for your reply. I ran everything and the reports are listed below. The ibm00013.exe and "squares" messages do not appear now at bootup. I still get a message concerning missing components for Software Station (is this part of eAccelerator?) and IE pops up. Thanks again. Wes


Fixwareout Last edited 5/15/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="csdkf.exe"

»»»»»

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "pgtshlld" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "gib_ogol" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "nidnsdr" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "23naelch" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "ytpme" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "eilcctrec" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "ifpnxesm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "aplnsftn" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "23rtcdaol" Deleted
....
»»»»» Misc files.
C:\Documents and Settings\Melissa\Application Data\Install.dat Deleted
C:\WINDOWS\RDT.INI Deleted
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.


Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other

»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"CARPService"="carpserv.exe"
"WCOLOREAL"="\"C:\\Program Files\\COMPAQ\\Coloreal\\coloreal.exe\""
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"srmclean"="C:\\Cpqs\\Scom\\srmclean.exe"
"Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smtray.exe"
"TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\evntsvc.exe -osboot"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"tgcmd"="C:\\Program Files\\Support.com\\bin\\tgcmd.exe /server /startmonitor /deaf"
"iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe"
"Testimonials"="teqq32.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"SoftwareStation"="\"C:\\Program Files\\eAcceleration\\Station\\station.exe\" /b Startup"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Compaq]
"SetRefresh"="C:\\Program Files\\Compaq\\SetRefresh\\SetRefresh.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="\"c:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"iesetupdll"="progmen.exe"
"prgsys0984"="sbin.exe"
"updateMgr"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_5"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»




ComboFix 07-06-13.7
"Melissa" - 2007-06-14 23:22:06 - Service Pack 1 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\info.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_MSUDP4
-------\msudp4


((((((((((((((((((((((((( Files Created from 2007-05-15 to 2007-06-15 )))))))))))))))))))))))))))))))


2007-06-14 23:20 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-14 23:09 10,393 --a------ C:\dnsbak.reg
2007-06-11 18:47 <DIR> d-------- C:\Program Files\WinASO
2007-06-11 14:36 77,312 --a------ C:\WINDOWS\ua2.dll
2007-06-09 19:06 <DIR> d-------- C:\WINDOWS\pss
2007-06-08 08:42 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-06-08 08:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-08 08:18 <DIR> d-------- C:\HijackThis
2007-06-08 07:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-08 07:34 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-08 07:34 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-06-08 07:34 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Real
2007-06-07 14:24 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-07 08:49 <DIR> d-------- C:\Melissa's PC
2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-15 03:33:23 4,791 ----a-w C:\WINDOWS\compaq.reg
2007-06-12 20:00:37 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-12 20:00:37 -------- d-----w C:\Program Files\COMPAQ
2007-06-08 12:42:05 -------- d-----w C:\Program Files\Lavasoft
2007-06-08 12:41:52 -------- d-----w C:\DOCUME~1\Melissa\APPLIC~1\Lavasoft
2007-06-07 18:53:06 -------- d-----w C:\Program Files\Butterfly Oasis Screensaver
2007-06-06 02:18:40 -------- d-----w C:\Program Files\NoAdware3
2007-06-06 02:10:25 -------- d-----w C:\Program Files\PokerStars.NET
2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4efb-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll [2005-03-04 20:34]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-24 00:12]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"CARPService"="carpserv.exe" [2002-01-02 21:06 C:\WINDOWS\system32\carpserv.exe]
"WCOLOREAL"="C:\Program Files\COMPAQ\Coloreal\coloreal.exe" [2002-02-20 15:40]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-05-31 22:12]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 17:34]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [2001-10-12 18:45]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe" [2002-05-31 22:22]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2000-07-13 15:00]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 15:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-10-22 22:11]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2006-01-09 16:42]
"iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe" [2002-08-29 03:41]
"Testimonials"="teqq32.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-07 16:50]
"SoftwareStation"="C:\Program Files\eAcceleration\Station\station.exe" [2006-01-31 16:42]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-05-30 08:30]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\Program Files\Microsoft Money\System\Money Express.exe" [2001-07-25 13:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 17:18]
"iesetupdll"="progmen.exe" []
"prgsys0984"="sbin.exe" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 14:49]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


Contents of the 'Scheduled Tasks' folder
2005-03-07 21:42:47 C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1098502323.job
2002-08-15 13:57:58 C:\WINDOWS\tasks\Registration reminder 1.job
2002-08-15 13:57:59 C:\WINDOWS\tasks\Registration reminder 2.job
2002-08-15 13:57:59 C:\WINDOWS\tasks\Registration reminder 3.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-14 23:33:22
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-14 23:40:20 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-14 23:39

--- E O F ---



Logfile of HijackThis v1.99.1
Scan saved at 11:43:07 PM, on 6/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Adaptec\Easy CD Creator 5\Easy CD Creator\Creatr50.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {CD0FD544-5710-E7D8-7CDF-35F3B6A22A9A} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [Testimonials] teqq32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [iesetupdll] progmen.exe
O4 - HKCU\..\Run: [prgsys0984] sbin.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 15 June 2007 - 03:07 AM

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.

******************************

Run 'BitDefender Online Scanner' using Internet Explorer:
http://www.bitdefender.com/scan8/ie.html
Read the 'END USER SOFTWARE LICENSE AGREEMENT' then click 'I agree'.
You'll be prompted to install the activex control,please do so.
Once installed,disable your current antivirus program,then click the 'Click here to scan' button.
The virus signatures will then load.
Once loaded the scan will start.
The scan will take quite some time so please be patient.
Once the scan has finished select the 'Detected Problems' tab.
Click on 'Click here to export scan'.
Save the file as an HTML file to your desktop.
Then click on the saved file and allow it to open with your browser.
Go to 'Edit'/'Select All' then copy and paste that log into your next reply.
*Note*
Don't forget to re-enable your antivirus program.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#5 wesco

wesco
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 16 June 2007 - 06:16 AM

Here are the requested logs. The PC is a lot faster now but takes a while to completely boot up. Thanks again.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/15/2007 at 01:56 PM

Application Version : 3.8.1002

Core Rules Database Version : 3255
Trace Rules Database Version: 1266

Scan type : Complete Scan
Total Scan Time : 01:30:50

Memory items scanned : 459
Memory threats detected : 0
Registry items scanned : 4775
Registry threats detected : 6
File items scanned : 29410
File threats detected : 2

Parasite.WareOut
HKLM\Software\Classes\CLSID\{61658059-04DF-0EB8-5ED9-C1BE78E6D88B}
HKCR\CLSID\{61658059-04DF-0EB8-5ED9-C1BE78E6D88B}
HKCR\CLSID\{61658059-04DF-0EB8-5ED9-C1BE78E6D88B}\InprocServer32
TRYCRT.DLL

Browser Hijacker.Apropos Media/PeopleOnPage
HKLM\Software\Classes\CLSID\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\409

Trojan.PSA3D
C:\WINDOWS\SYSTEM32\PS.A3D

END OF SUPERVIRUS LOG

BitDefender Online Scanner

Scan report generated at: Sat, Jun 16, 2007 - 01:24:22

Scan path: A:\;C:\;D:\;E:\;

Statistics

Time
01:52:14

Files
192882

Folders
4129

Boot Sectors
2

Archives
8278

Packed Files
11897

Results

Identified Viruses
1

Infected Files
3

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
3

Engines Info

Virus Definitions
513898

Engine build
AVCORE v1.0 (build 2410) (i386) (Jun 12 2007 21:08:27)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1

Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes

Scanned File
Status

C:\Program Files\support.com\backup\On\Onlysexwebsite.url\91_528c3ff5d_=>Only sex website.url
Infected with: Trojan.Downloader.Agent.BQ

C:\Program Files\support.com\backup\On\Onlysexwebsite.url\91_528c3ff5d_=>Only sex website.url
Disinfection failed

C:\Program Files\support.com\backup\On\Onlysexwebsite.url\91_528c3ff5d_=>Only sex website.url
Deleted

C:\Program Files\support.com\backup\On\Onlysexwebsite.url\91_528c3ff5d_
Update failed

C:\Program Files\support.com\backup\se\Searchtheweb.url\91_538f2f55e_=>Search the web.url
Infected with: Trojan.Downloader.Agent.BQ

C:\Program Files\support.com\backup\se\Searchtheweb.url\91_538f2f55e_=>Search the web.url
Disinfection failed

C:\Program Files\support.com\backup\se\Searchtheweb.url\91_538f2f55e_=>Search the web.url
Deleted

C:\Program Files\support.com\backup\se\Searchtheweb.url\91_538f2f55e_
Update failed

C:\Program Files\support.com\backup\se\Sevendaysoffreeporn.url\87_5a58f2672_=>Seven days of free porn.url
Infected with: Trojan.Downloader.Agent.BQ

C:\Program Files\support.com\backup\se\Sevendaysoffreeporn.url\87_5a58f2672_=>Seven days of free porn.url
Disinfection failed

C:\Program Files\support.com\backup\se\Sevendaysoffreeporn.url\87_5a58f2672_=>Seven days of free porn.url
Deleted

C:\Program Files\support.com\backup\se\Sevendaysoffreeporn.url\87_5a58f2672_
Update failed

END OF BITDEFENDER LOG

Logfile of HijackThis v1.99.1
Scan saved at 7:09:35 AM, on 6/16/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {CD0FD544-5710-E7D8-7CDF-35F3B6A22A9A} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [Testimonials] teqq32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [iesetupdll] progmen.exe
O4 - HKCU\..\Run: [prgsys0984] sbin.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 17 June 2007 - 04:55 AM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: Class - {CD0FD544-5710-E7D8-7CDF-35F3B6A22A9A} - (no file)
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [Testimonials] teqq32.exe
O4 - HKCU\..\Run: [iesetupdll] progmen.exe
O4 - HKCU\..\Run: [prgsys0984] sbin.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

Exit Hijackthis.

***********************

Download and scan with the free 15 day trial of Counterspy V2
Save the report when it's finished:
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into your next reply.

Also post a new Hijackthis log please.
Let me know how its going now.

Posted Image
Posted Image

#7 wesco

wesco
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 18 June 2007 - 06:47 AM

Thanks to your help, the PC is running much better now. It boots up cleanly and is more responsive. Thank you for all your help. Here are the logs you requested.

Scan History Details
Start Date: 6/17/2007 4:03:48 PM
End Date: 6/17/2007 6:42:01 PM
Total Time: 158 Min 13 Sec
Detected security risks

AV&Firewall Killer Security Disabler more information...
Status: Deleted

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\*\SHELLEX\CONTEXTMENUHANDLERS\SYSACPILDAP


Claria.Gator.eWallet Adware (General) more information...
Details: Claria's Gator eWallet is an ad supported program that can automatically fill in passwords and other form-elements on Web pages.
Status: Deleted

Files detected
C:\WINDOWS\GatorGainInstaller.log


Claria.GAIN.CommonElements Adware (General) more information...
Details: Claria's GAIN network consists of several applications inlcuding Gator eWallet, GotSmiley, ScreenSeenes, WebSecureAlert, DashBar, Weatherscope, Date Manager and Precision Time.
Status: Deleted

Files detected
C:\WINDOWS\GatorPatch.log


ABetterInternet Adware (General) more information...
Details: ABetterInternet shows advertisements based on the web pages you view and the web sites you visit.
Status: Deleted

Files detected
C:\WINDOWS\abiuninst.htm


Looking-For.Home Search Assistant Hijacker more information...
Details: Home Search Assistant is an Internet Explorer browser helper object (BHO) that changes the user's home page and modifes search results. It also spawns pop-ups on the desktop.
Status: Deleted

Files detected
C:\WINDOWS\000001_.tmp:jzwfuf
C:\WINDOWS\_default.pif:bghtrd
C:\WINDOWS\_default.pif:bltthk
C:\WINDOWS\_default.pif:bzwpxv
C:\WINDOWS\_default.pif:ctlfch
C:\WINDOWS\_default.pif:dltcxs
C:\WINDOWS\_default.pif:ewhylw
C:\WINDOWS\_default.pif:ffanda
C:\WINDOWS\_default.pif:gbuuuw
C:\WINDOWS\_default.pif:gfadti
C:\WINDOWS\_default.pif:ilxbto
C:\WINDOWS\_default.pif:ivshil
C:\WINDOWS\_default.pif:jiamdv
C:\WINDOWS\_default.pif:kybhhq
C:\WINDOWS\_default.pif:lnyovh
C:\WINDOWS\_default.pif:lshatw
C:\WINDOWS\_default.pif:lsnvdu
C:\WINDOWS\_default.pif:oqgqax
C:\WINDOWS\_default.pif:pjzdgx
C:\WINDOWS\_default.pif:pvjfwe
C:\WINDOWS\_default.pif:rcuhkc
C:\WINDOWS\_default.pif:rnqzha
C:\WINDOWS\_default.pif:rnrsvo
C:\WINDOWS\_default.pif:sqgoyu
C:\WINDOWS\_default.pif:taaygp
C:\WINDOWS\_default.pif:tauoga
C:\WINDOWS\_default.pif:tfelej
C:\WINDOWS\_default.pif:ubsieu
C:\WINDOWS\_default.pif:vaqmcc
C:\WINDOWS\_default.pif:wcdoxw
C:\WINDOWS\_default.pif:wykpre
C:\WINDOWS\_default.pif:xlcfma
C:\WINDOWS\_default.pif:zjvffc
C:\WINDOWS\_default.pif:zwuedp
C:\WINDOWS\Active Setup Log.txt:dutlst
C:\WINDOWS\control.ini:xfoqey
C:\WINDOWS\DtcInstall.log:biseuz
C:\WINDOWS\evnrb.dat:kcwtpr
C:\WINDOWS\fypzn.dat:cebsny
C:\WINDOWS\fzcam.log:vcptda
C:\WINDOWS\Gone Fishing.bmp:jthyac
C:\WINDOWS\hjjuo.log:aishrn
C:\WINDOWS\hpomdl01.dat:zmpnbf
C:\WINDOWS\htilq.log:ftvsnr
C:\WINDOWS\INET.reg:bccdcr
C:\WINDOWS\KB841356.log:pbovgg
C:\WINDOWS\KB842773.log:epomua
C:\WINDOWS\KB873339.log:ogqcja
C:\WINDOWS\KB885835.log:dgujnr
C:\WINDOWS\KB885835.log:telrlh
C:\WINDOWS\logon2.reg:yscnye
C:\WINDOWS\mjrzk.txt:uwsoun
C:\WINDOWS\mozver.dat:csecxo
C:\WINDOWS\msdfmap.ini:hnlvvx
C:\WINDOWS\MSDraw.ini:dmwdab
C:\WINDOWS\msgsocm.log:bnqdfv
C:\WINDOWS\msgsocm.log:xnqeok
C:\WINDOWS\msoffice.ini:rlgchn
C:\WINDOWS\msxmidi.exe.js:agbexj
C:\WINDOWS\n_iggogo.dat:aczfjc
C:\WINDOWS\pss\win.ini.backup:pikrbn
C:\WINDOWS\Q315000.log:kifflf
C:\WINDOWS\Q315000.log:mwclap
C:\WINDOWS\QUICKEN.INI:areukq
C:\WINDOWS\QUICKEN.INI:jnlvqc
C:\WINDOWS\setupact.log:yqxwvh
C:\WINDOWS\tzllx.txt:dhfttt
C:\WINDOWS\uxrhy.log:jlaibn
C:\WINDOWS\WindowsUpdate.log:ntdyva
C:\WINDOWS\winnt.bmp:nfbvcu


Claria.ScreenScenes Adware Installer more information...
Details: ScreenScenes are ad supported downloadable screensavers from Claria/GAIN Publishing.
Status: Deleted

Files detected
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\Programs\BUTTERFLY OASIS SCREENSAVER\Get more Screensavers.lnk
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\Programs\BUTTERFLY OASIS SCREENSAVER\More info at ScreenScenes.com.lnk
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\Programs\BUTTERFLY OASIS SCREENSAVER\Upgrade to Premium version.lnk
C:\PROGRAM FILES\BUTTERFLY OASIS SCREENSAVER\BO1DefaultScreen.bmp
C:\PROGRAM FILES\BUTTERFLY OASIS SCREENSAVER\BO1Helper.ini
C:\PROGRAM FILES\BUTTERFLY OASIS SCREENSAVER\Get more Screensavers.url
C:\PROGRAM FILES\BUTTERFLY OASIS SCREENSAVER\More info at ScreenScenes.com.url
C:\PROGRAM FILES\BUTTERFLY OASIS SCREENSAVER\Upgrade to Premium version.url
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\BUTTERFLY OASIS SCREENSAVER
C:\PROGRAM FILES\BUTTERFLY OASIS SCREENSAVER

Registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\BUTTERFLYOASIS
HKEY_LOCAL_MACHINE\SOFTWARE\BUTTERFLYOASIS
HKEY_USERS\S-1-5-21-1417066420-3719885985-2111342016-1006\SOFTWARE\SCREENSCENES
HKEY_USERS\S-1-5-21-1417066420-3719885985-2111342016-1006\SOFTWARE\SCREENSCENES\ButterflyOasis
HKEY_USERS\S-1-5-21-1417066420-3719885985-2111342016-1006\SOFTWARE\SCREENSCENES\ButterflyOasis
HKEY_USERS\S-1-5-21-1417066420-3719885985-2111342016-1006\SOFTWARE\SCREENSCENES\ButterflyOasis
HKEY_USERS\S-1-5-21-1417066420-3719885985-2111342016-1006\SOFTWARE\SCREENSCENES\ButterflyOasis
HKEY_USERS\S-1-5-21-1417066420-3719885985-2111342016-1006\SOFTWARE\SCREENSCENES\ButterflyOasis
HKEY_USERS\S-1-5-21-1417066420-3719885985-2111342016-1006\SOFTWARE\SCREENSCENES\ButterflyOasis
HKEY_USERS\S-1-5-21-1417066420-3719885985-2111342016-1006\SOFTWARE\SCREENSCENES\ButterflyOasis
HKEY_USERS\S-1-5-21-1417066420-3719885985-2111342016-1006\SOFTWARE\SCREENSCENES\ButterflyOasis
HKEY_USERS\S-1-5-21-1417066420-3719885985-2111342016-1006\SOFTWARE\SCREENSCENES\ButterflyOasis
HKEY_USERS\S-1-5-21-1417066420-3719885985-2111342016-1006\SOFTWARE\SCREENSCENES\ButterflyOasis
HKEY_USERS\S-1-5-21-1417066420-3719885985-2111342016-1006\SOFTWARE\SCREENSCENES\ButterflyOasis
HKEY_USERS\S-1-5-21-1417066420-3719885985-2111342016-1006\SOFTWARE\SCREENSCENES\ButterflyOasis
HKEY_USERS\S-1-5-21-1417066420-3719885985-2111342016-1006\SOFTWARE\SCREENSCENES\ButterflyOasis
HKEY_USERS\S-1-5-21-1417066420-3719885985-2111342016-1006\SOFTWARE\SCREENSCENES\ButterflyOasis
HKEY_USERS\S-1-5-21-1417066420-3719885985-2111342016-1006\SOFTWARE\SCREENSCENES\ButterflyOasis
HKEY_USERS\S-1-5-21-1417066420-3719885985-2111342016-1006\SOFTWARE\SCREENSCENES\ButterflyOasis


SpySheriff Rogue Security Program more information...
Details: SpySheriff is a purported anti-spyware application to scan for and remove spyware from users' computers.
Status: Deleted

Files detected
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqDD6.tmp\SpySheriff_1.dat
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqDD6.tmp\SpySheriff_2.dat


A-311 Death Trojan more information...
Details: A-311 Death is a remote administration tool with many features, like registry access, process viewer, file download/upload, etc.
Status: Deleted

Files detected
C:\WINDOWS\system32\p2.ini


Goldun.Fam Trojan more information...
Details: Goldun.Fam is a family of Trojan horse programs that steals users' information entered for authentication on e-gold online web forms.
Status: Deleted

Files detected
C:\WINDOWS\system32\config\SSL


Logfile of HijackThis v1.99.1
Scan saved at 9:14:04 PM, on 6/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 18 June 2007 - 01:30 PM

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
fix.reg
Fixwareout
Combofix

C:\QooBox
C:\Fixwareout

-------------------

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

-------------------

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#9 wesco

wesco
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 18 June 2007 - 02:02 PM

Thank you so much for all your time and effort!! Wes

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 18 June 2007 - 02:08 PM

You're most welcome Wes :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users