Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • Please log in to reply
14 replies to this topic

#1 vtalats

vtalats

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 23 January 2005 - 09:54 AM

My son seems to have found his way to some nasty pestware. I have run NAV, Spybot S&D and AdAware to no avail. Please help!!

HijackThis Log:

Logfile of HijackThis v1.99.0
Scan saved at 9:27:30 AM, on 1/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Concentra\CIS VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\HPConfig.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WebDrive\wdservice.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CSBB\CSv10P070.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\dlsmgr\dlsmgr.exe
C:\Program Files\hpdll\hpdll.exe
C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
C:\WINDOWS\System32\vmss\vmss.exe
C:\WINDOWS\System32\scpistor12.exe
C:\WINDOWS\System32\voygik.exe
C:\WINDOWS\zzopgi.exe
C:\Documents and Settings\kara\Application Data\wtta.exe
C:\WINDOWS\System32\r?gsvr32.exe
C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
C:\WINDOWS\System32\winupdt.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINDOWS\system32\taskmgr.exe
c:\windows\system32\eealinr.exe
c:\windows\system32\calc.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\winupdt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\ULTIMA~1.7\uzip.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vt.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/info/e-center-p
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/info/e-center-p
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000002230} - C:\Program Files\CSBB\CSBB.DLL
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SDWin32 Class - {37906BA2-19AD-49F5-96CF-7A4796C11B05} - C:\WINDOWS\System32\jvfjm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FE504C33-89A7-FD79-D11D-8F1DF64211CD} - C:\WINDOWS\System32\hxabzgbr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [jvfjmc] C:\WINDOWS\System32\jvfjmc.exe
O4 - HKLM\..\Run: [dlsmgr] C:\Program Files\dlsmgr\dlsmgr.exe
O4 - HKLM\..\Run: [HPNT] C:\Program Files\hpdll\hpdll.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINDOWS\Temp\TBuninst.exe /remove
O4 - HKLM\..\Run: [438S33Q] scpistor12.exe
O4 - HKLM\..\Run: [C:\WINDOWS\zzopgi.exe] C:\WINDOWS\zzopgi.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [eealinr] c:\windows\system32\eealinr.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\kara\Application Data\wtta.exe
O4 - HKCU\..\Run: [Xdbszlx] C:\WINDOWS\System32\r?gsvr32.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - Global Startup: Concentra Integrated Services VPN Client.lnk = C:\Program Files\Concentra\CIS VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p
O16 - DPF: Metakenkoh Applets - https://beta.bodymedia.com/metakenkoh/files...mmetakenkoh.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O21 - SSODL: Quicken Financial Center - {F552EB27-B6B6-FA06-9C9D-576CC25768FC} - C:\PROGRA~1\QUICKE~1\rem\UNWISE.dll
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Group\Apache2\bin\Apache.exe
O23 - Service: pcAnywhere Host Service - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service - Cisco Systems, Inc. - C:\Program Files\Concentra\CIS VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: HP Configuration Service - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe
O23 - Service: MySql - Unknown - D:\mysql\bin\mysqld-max-nt.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: WebDrive Service - Unknown - C:\Program Files\WebDrive\wdservice.exe

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,714 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:12 AM

Posted 24 January 2005 - 11:01 AM

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000002230} - C:\Program Files\CSBB\CSBB.DLL
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: SDWin32 Class - {37906BA2-19AD-49F5-96CF-7A4796C11B05} - C:\WINDOWS\System32\jvfjm.dll
O2 - BHO: (no name) - {FE504C33-89A7-FD79-D11D-8F1DF64211CD} - C:\WINDOWS\System32\hxabzgbr.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [jvfjmc] C:\WINDOWS\System32\jvfjmc.exe
O4 - HKLM\..\Run: [dlsmgr] C:\Program Files\dlsmgr\dlsmgr.exe
O4 - HKLM\..\Run: [HPNT] C:\Program Files\hpdll\hpdll.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINDOWS\Temp\TBuninst.exe /remove
O4 - HKLM\..\Run: [438S33Q] scpistor12.exe
O4 - HKLM\..\Run: [C:\WINDOWS\zzopgi.exe] C:\WINDOWS\zzopgi.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [eealinr] c:\windows\system32\eealinr.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\kara\Application Data\wtta.exe
O4 - HKCU\..\Run: [Xdbszlx] C:\WINDOWS\System32\r?gsvr32.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe


Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\BTGrab.dll
C:\Program Files\CxtPls\
C:\WINDOWS\Helper101.dll
C:\WINDOWS\systb.dll
C:\WINDOWS\System32\jvfjm.dll
C:\WINDOWS\System32\hxabzgbr.dll
C:\WINDOWS\System32\winupdtl.exe
C:\Program Files\CSBB\
C:\WINDOWS\System32\jvfjmc.exe
C:\Program Files\dlsmgr\
:\Program Files\hpdll\
C:\WINDOWS\System32\wsxsvc\
C:\WINDOWS\System32\vmss\
C:\WINDOWS\farmmext.exe
C:\WINDOWS\Temp\TBuninst.exe
c:\windows\system32\scpistor12.exe
C:\WINDOWS\zzopgi.exe
C:\WINDOWS\System32\stcloader.exe
c:\windows\system32\eealinr.exe
C:\WINDOWS\wupdt.exe
C:\Program Files\AutoUpdate\
C:\Documents and Settings\kara\Application Data\wtta.exe
C:\PROGRAM FILES\COMMON FILES\tsa\


Reboot your computer to go back to normal mode and post a new log.

#3 vtalats

vtalats
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 25 January 2005 - 12:14 AM

Thanks so much for the help!!

Here is my latest HJT log. I think that has most of it, but just want to double check. BTW - what is that voygik.exe file that is running and how is it getting started?

Logfile of HijackThis v1.99.0
Scan saved at 12:10:09 AM, on 1/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Concentra\CIS VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\HPConfig.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WebDrive\wdservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\voygik.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\hjt\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vt.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/info/e-center-p
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/info/e-center-p
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Concentra Integrated Services VPN Client.lnk = C:\Program Files\Concentra\CIS VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p
O16 - DPF: Metakenkoh Applets - https://beta.bodymedia.com/metakenkoh/files...mmetakenkoh.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O21 - SSODL: Quicken Financial Center - {F552EB27-B6B6-FA06-9C9D-576CC25768FC} - C:\PROGRA~1\QUICKE~1\rem\UNWISE.dll
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Group\Apache2\bin\Apache.exe
O23 - Service: pcAnywhere Host Service - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service - Cisco Systems, Inc. - C:\Program Files\Concentra\CIS VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: HP Configuration Service - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe
O23 - Service: MySql - Unknown - D:\mysql\bin\mysqld-max-nt.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: WebDrive Service - Unknown - C:\Program Files\WebDrive\wdservice.exe

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,714 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:12 AM

Posted 25 January 2005 - 12:21 AM

Good question.

I need to get samples of some of your files. Please create a folder called c:\submit. Now copy the following files into that directory:

C:\WINDOWS\System32\voygik.exe

To copy the files simply navigate to the directory they are in and right click on them and then click on copy. Then paste these files into the c:\submit directory. Once the files are all copied I need you to zip the folder. If you are using XP or ME right-click on the folder and click on the Send To option and then send it to a compressed folder. You will now see a file called submit.zip. If you are using another version of Windows, please download a program called Winzip and zip it using that. Then go to http://www.bleepingcomputer.com, fill in the required fields, and browse to the file. Then click on the Send File button.

I will look at it in the morning and get back to you

#5 vtalats

vtalats
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 26 January 2005 - 12:45 AM

Grinler -- Thanks again.

I tried to find the file voygik.exe in the c:\windows\system32 folder but it was not listed in explorer. I made sure that it was displaying hidden and system files, but it did not show up. So I took another approach and went to a command prompt. I found the file that way. Got it all zipped up, but the link you sent just brought me to the main page of bleeping computer and I did not see where to send the file. So, I ran strings.exe on voygik.exe and dumped the output to a file. Here is a snippet of that output:

-----------------------------------------------------------
!This program cannot be run in DOS mode.
Rich&
.text
.rdata
.data
.rsrc
.aspack
.adata
kernel32.dll
GetProcAddress
GetModuleHandleA
LoadLibraryA
shlwapi.dll
wininet.dll
rpcrt4.dll
user32.dll
advapi32.dll
shell32.dll
StrToIntA
InternetGetConnectedState
UuidCreate
DestroyWindow
RegDeleteKeyA
ShellExecuteA
----------------------------------------------------------

I am gathering that something is "super"-hiding the file. (Maybe the .aspack tag) Also I did not find any entry in my HJT log where this was getting run at startup. I ran msconfig and it had the following line in the startup section:

voygik.exe c:\WINDOWS\system32\voygik.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

I ran regedit and went to that key, but there was no entry for voygik.exe in there. All of the other entries listed by msconfig were listed in the key and all showed up in the HJT log. Can there be hidden entries in the registry?

Finally, I found several oddities in my c:\windows directory. :thumbsup: The first was that there were 250 zero length dat files in the form se###.dat where ### is a 2 or 3 digit number. For example se140.dat. I also found the following binary files that were created at the time that I think all of this started:

searchen.dat
2212005 (There are 2 of these)
del.tmp
kwv2.dat

As I said these are all binary files and are unreadable in a text editor.

Also I found a a directory c:\WINDOWS\bundles which seems to contain a veritable who's who of spyware executables. The directory listing is included below:

58kd52fg.exe
activeshopper.exe
adl_dh.exe
adl_hl.exe
adl_mteststub.exe
adl_zeno.exe
AdSmartMedia_bundle.exe
adv0ltc0m.exe
ast_5_adsav.exe
b2s-162813.exe
Beryllium.exe
bs5-goodyr1.exe
CSv10P070.exe
cxt_big.exe
cxt_wmg.exe
Decade.exe
dh_vl.exe
dir.txt
d_ic.exe
e2g51.exe
EDow_vl.exe
ezStubseedcorn.exe
gogotoolsSILAWO8pi.exe
HelperInstaller.exe
HLInstaller.exe
icmedia2_56.exe
ICMMedia_1cmm3d1a.exe
iehost.exe
installcasino.exe
KnNe1.exe
mfsetup.exe
newmb.exe
new_vcm.exe
NzI0MDo4OjEy.exe
package8033_MARKETING5.exe
pounder.exe
ropbundle.exe
rop_marketing_1_168.exe
runsearch.exe
s4Sept.exe
sahagent-dectest1001.exe
sahagent-onlinetrafficbroker1001.exe
sahagent-seedcorn1002.exe
search_toolbar.exe
Setup1171.exe
setupactiv2.exe
SetupCasino.exe
setup_Incredifind_TrafficSpec.exe
ssee.exe
SSK_B5.EXE
stlb2_seed.exe
thin-8-1-x-x.exe
ventura1.exe
videoinst.exe
vrinstall_icmedia.exe
WebRebates_Auto_InstallSilent.exe
winversion.exe
wrapperouter.exe


Also, since I rebooted my computer to see if voygik.exe would restart, I am including a new HJT log. Thanks again for all of the help.

Logfile of HijackThis v1.99.0
Scan saved at 7:47:17 PM, on 1/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\HPConfig.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WebDrive\wdservice.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\voygik.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vt.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/info/e-center-p
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/info/e-center-p
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p
O16 - DPF: Metakenkoh Applets - https://beta.bodymedia.com/metakenkoh/files...mmetakenkoh.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106631443279
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O21 - SSODL: Quicken Financial Center - {F552EB27-B6B6-FA06-9C9D-576CC25768FC} - C:\PROGRA~1\QUICKE~1\rem\UNWISE.dll
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Group\Apache2\bin\Apache.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: HP Configuration Service - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe
O23 - Service: MySql - Unknown - D:\mysql\bin\mysqld-max-nt.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: WebDrive Service - Unknown - C:\Program Files\WebDrive\wdservice.exe

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,714 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:12 AM

Posted 26 January 2005 - 09:26 AM

OK i gave you the wrong link to submit the files to. It should be http://www.bleepingcomputer.com/submit-malware.php

Also is there anyway you can zip up all these files that you discussed, including that bundles directory, and email it to grinler@yahoo.com. If you do stilll have these files and send it , include a link in the message back to this post so i know what its referring to.

After its sent, post back here, and I will continue with the cleanup

#7 vtalats

vtalats
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 26 January 2005 - 10:40 AM

No problem. I will need to gather it all tonight when I get home from work, but you will have it by 9:00 or so tonight.

Thanks again.

#8 vtalats

vtalats
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 26 January 2005 - 10:56 PM

You should have the zip file at your yahoo mail account.

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,714 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:12 AM

Posted 27 January 2005 - 12:41 PM

Download killbox here:

KillBox


Unzip the folder to your desktop.

Start Killbox.exe

When it is open, enter C:\WINDOWS\system32\voygik.exe into the field labeled "Full path of file to delete".

Select the Delete on reboot option.

Then press the button that looks like a red circle with a white X in it.

Your computer will reboot and check to see if the file is gone.

Then post a new log

#10 vtalats

vtalats
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 27 January 2005 - 02:18 PM

Thanks. I will run killbox on the file tonight.

Did you find anything out about the other files I sent you?

Should I delete that bundles directory?

Should I delete the binary *.tmp and *.log files that I sent you?

Should I delete the zero-length se###.dat files I sent?


Thanks in advance for your advice on those other files. :thumbsup:
aml

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,714 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:12 AM

Posted 27 January 2005 - 03:02 PM

Yes you can delete all of those files. Thanks for the bundle directory :thumbsup: Lots of goodies for our team members to play with

#12 vtalats

vtalats
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 27 January 2005 - 03:08 PM

NP

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,714 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:12 AM

Posted 27 January 2005 - 03:11 PM

When you delete all of those post a last log

#14 vtalats

vtalats
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 28 January 2005 - 12:13 AM

OK - Grinler - This is becoming entirely too familiar.

I deleted voygik.exe using killbox. Then I look in the directory and the file is back. I could tell it was deleted and re-spawned because the created timestamp changed. So I looked in the HJT process listing and it was not running voygik so I just deleted it at the command prompt. I then went back and looked at the process listing and there was a file running in the all users startup folder called kuyuin.exe. I looked at the file in the dos prompt and it was exactly the same size as tha voygik.exe file (33,280). So, I used killbox to get rid of that file. Once it rebooted all looked fine in the process listing in HJT, but for the first time there was an O4 line for the voygik.exe startup in HKLM. I used HJT to get rid of it and then I double checked to make sure the files were all gone. :thumbsup: Here is my HJT log. Hopefully, everything is fine now. I do know that I am no longer getting random popups, which I was up until an hour ago.

Thanks again for all of your help.

Logfile of HijackThis v1.99.0
Scan saved at 11:58:36 PM, on 1/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\HPConfig.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WebDrive\wdservice.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vt.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/info/e-center-p
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/info/e-center-p
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p
O16 - DPF: Metakenkoh Applets - https://beta.bodymedia.com/metakenkoh/files...mmetakenkoh.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106631443279
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O21 - SSODL: Quicken Financial Center - {F552EB27-B6B6-FA06-9C9D-576CC25768FC} - C:\PROGRA~1\QUICKE~1\rem\UNWISE.dll
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Group\Apache2\bin\Apache.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: HP Configuration Service - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe
O23 - Service: MySql - Unknown - D:\mysql\bin\mysqld-max-nt.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: WebDrive Service - Unknown - C:\Program Files\WebDrive\wdservice.exe

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,714 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:12 AM

Posted 28 January 2005 - 12:30 AM

Well it looks good. Report back tomorrow and tell us if its good still. If it is we will give you the final speech :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users