• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
Sign in to follow this  
Followers 0
fat32

Help! I Think Im Infected! What Should I Do?

13 posts in this topic

Help, i seriously think im infected with some kind of virus. My computer is really slow...sometimes it shuts down by itself. When i run a virus check it says there are viruses detected..auto delete/quarantined...then i run it again...it detect viruses again. What should i do? Please help.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:15, on 09/18/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe

C:\WINDOWS\system32\ZoneLabs\avsys\Monitor.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\Webshots\Webshots.scr

C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe

C:\Documents and Settings\bin\Desktop\Warcraft\W3XMapHack12102.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL

O2 - BHO: Editor plugin - {6C8DE14D-EF92-492f-BBF7-B61F1405F328} - smuhdd.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL

O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe

O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidSetup.exe boot

O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM

O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1177030191437

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O20 - Winlogon Notify: khffdaa - khffdaa.dll (file missing)

O20 - Winlogon Notify: wincqt32 - wincqt32.dll (file missing)

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

--

End of file - 8052 bytes

Share this post


Link to post
Share on other sites

Hi,

 

I see you have 2 firewalls installed and running. Zonealarm and the Nvidia firewall (NetworkAccessManager).

Running more than 1 Firewall may cause a lot of problems, so I suggest you uninstall the Nvidia firewall (NetworkAccessManager) Firewall since this is a buggy Firewall anyway.

 

Reboot after uninstalling.

 

After reboot, * Download Combofix to your desktop.

In case you already used Combofix previously, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

 

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.

Post the contents of this log in your next reply together with a new hijackthislog.

Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Share this post


Link to post
Share on other sites

Hi,

Thank you very much for your prompt reply. I did what you asked: uninstall (networkacessmanager) firewall. Downloaded combofix and ran it. Ran hijackthis.

 

Here is the combofix log:

 

ComboFix 07-09-19.8 - "bin" 2007-09-19 11:09:42.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1549 [GMT -7:00]

* Created a new restore point

.

 

((((((((((((((((((((((((( Files Created from 2007-08-19 to 2007-09-19 )))))))))))))))))))))))))))))))

.

 

2007-09-18 21:37 <DIR> d-------- C:\Program Files\Lavasoft

2007-09-18 21:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-09-18 21:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft

2007-09-18 21:29 <DIR> d-------- C:\Program Files\Trend Micro

2007-09-18 20:29 <DIR> d-------- C:\WINDOWS\BDOSCAN8

2007-09-18 19:45 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys

2007-09-17 21:58 <DIR> d-------- C:\DOCUME~1\bin\.housecall6.6

2007-09-17 07:52 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-09-17 03:41 <DIR> d-------- C:\DOCUME~1\bin\WINDOWS

2007-09-17 03:40 150 --a------ C:\temp2.bat

2007-09-17 03:40 15,360 --a------ C:\WINDOWS\system32\drvnusr.dll

2007-09-17 03:37 1 --a------ C:\WINDOWS\system32\ps1.dat

2007-09-17 03:37 1 --a------ C:\WINDOWS\system32\cookie1.dat

2007-09-17 03:36 59,904 --a------ C:\hxvaqsbo.exe

2007-09-17 03:36 52,736 --a------ C:\WINDOWS\system32\smuhdd.dll

2007-09-17 03:24 <DIR> d-------- C:\Program Files\Microsoft Works

2007-09-17 03:23 <DIR> d-------- C:\Program Files\Microsoft.NET

2007-09-17 03:22 <DIR> d-------- C:\WINDOWS\SHELLNEW

2007-09-17 03:21 <DIR> dr-h----- C:\MSOCache

2007-09-17 03:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help

2007-09-17 03:16 60,416 --a------ C:\WINDOWS\system32\ddddd.exe

2007-09-17 00:44 <DIR> d-------- C:\WINDOWS\SxsCaPendDel

2007-09-13 08:22 313,344 --a------ C:\hjsplit.exe

2007-09-13 08:16 <DIR> d-------- C:\Program Files\MagicISO

2007-09-10 02:47 <DIR> d-------- C:\Program Files\Monkey's Audio

2007-09-04 09:15 221,184 --a------ C:\WINDOWS\system32\wmpns.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-09-19 11:11 7080224 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat

2007-09-19 11:09 698400 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat

2007-09-19 11:08 --------- d-------- C:\DOCUME~1\bin\APPLIC~1\MegauploadToolbar

2007-09-19 11:01 96680 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx

2007-09-19 11:01 67472 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx

2007-09-19 02:11 --------- d-------- C:\Program Files\Warcraft III

2007-09-17 03:40 --------- d-------- C:\Program Files\Microsoft IntelliPoint

2007-09-17 03:36 --------- d-------- C:\Program Files\mIRC

2007-09-17 03:36 --------- d-------- C:\Program Files\Azureus

2007-09-17 03:35 --------- d-------- C:\DOCUME~1\bin\APPLIC~1\Azureus

2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys

2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys

2007-07-31 18:15 --------- d-------- C:\Program Files\MegauploadToolbar

2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll

2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll

2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe

2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll

2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll

2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll

2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll

2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll

2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll

2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C8DE14D-EF92-492f-BBF7-B61F1405F328}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 02:21 C:\WINDOWS\RTHDCPL.exe]

"SkyTel"="SkyTel.EXE" [2006-05-16 03:04 C:\WINDOWS\SkyTel.exe]

"JMB36X IDE Setup"="C:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 05:44]

"JMB36X Configure"="C:\WINDOWS\system32\JMRaidSetup.exe" [2006-10-30 05:44]

"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 16:14]

"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 16:15]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 05:00]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-04-19 23:34]

"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]

 

C:\DOCUME~1\bin\STARTM~1\Programs\Startup\

Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-04-24 15:00:12]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{837B45D6-BF85-457D-AABF-6D2E7815F791}"= C:\WINDOWS\system32\khffdaa.dll [ ]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khffdaa]

khffdaa.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wincqt32]

wincqt32.dll

 

R0 JGOGO;JMicron Hot-Plug Driver;C:\WINDOWS\system32\DRIVERS\JGOGO.sys

R0 JRAID;JRAID;C:\WINDOWS\system32\DRIVERS\jraid.sys

R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINDOWS\system32\DRIVERS\point32.sys

S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys

 

.

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-09-19 11:11:21

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2007-09-19 11:11:56

C:\ComboFix-quarantined-files.txt ... 2007-09-19 11:11

.

--- E O F ---

 

And here is the Hijackthis log:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:12:59 AM, on 9/19/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\Webshots\Webshots.scr

C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL

O2 - BHO: Editor plugin - {6C8DE14D-EF92-492f-BBF7-B61F1405F328} - smuhdd.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe

O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidSetup.exe boot

O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM

O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1177030191437

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O20 - Winlogon Notify: khffdaa - khffdaa.dll (file missing)

O20 - Winlogon Notify: wincqt32 - wincqt32.dll (file missing)

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

--

End of file - 6762 bytes

Share this post


Link to post
Share on other sites

Hi,

 

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

 

File::

C:\temp2.bat

C:\WINDOWS\system32\drvnusr.dll

C:\WINDOWS\system32\ps1.dat

C:\WINDOWS\system32\cookie1.dat

C:\hxvaqsbo.exe

C:\WINDOWS\system32\smuhdd.dll

C:\WINDOWS\system32\ddddd.exe

 

DirLook::

C:\DOCUME~1\bin\WINDOWS

 

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C8DE14D-EF92-492f-BBF7-B61F1405F328}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C17590D2-ECB4-4b15-8820-F58798DCC118}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{837B45D6-BF85-457D-AABF-6D2E7815F791}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khffdaa]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wincqt32]

 

Save this as txtfile CFScript

 

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

 

CFScript.gif

 

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Share this post


Link to post
Share on other sites

Hi, this is the new combofix log and hijackthis log:

 

ComboFix 07-09-19.8 - "bin" 2007-09-19 16:33:19.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1517 [GMT -7:00]

Command switches used :: C:\Documents and Settings\bin\Desktop\CFScript.txt

* Created a new restore point

 

FILE::

C:\temp2.bat

C:\WINDOWS\system32\drvnusr.dll

C:\WINDOWS\system32\ps1.dat

C:\WINDOWS\system32\cookie1.dat

C:\hxvaqsbo.exe

C:\WINDOWS\system32\smuhdd.dll

C:\WINDOWS\system32\ddddd.exe

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\hxvaqsbo.exe

C:\temp2.bat

C:\WINDOWS\system32\cookie1.dat

C:\WINDOWS\system32\ddddd.exe

C:\WINDOWS\system32\drvnusr.dll

C:\WINDOWS\system32\ps1.dat

C:\WINDOWS\system32\smuhdd.dll

 

.

((((((((((((((((((((((((( Files Created from 2007-08-19 to 2007-09-19 )))))))))))))))))))))))))))))))

.

 

2007-09-18 21:37 <DIR> d-------- C:\Program Files\Lavasoft

2007-09-18 21:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-09-18 21:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft

2007-09-18 21:29 <DIR> d-------- C:\Program Files\Trend Micro

2007-09-18 20:29 <DIR> d-------- C:\WINDOWS\BDOSCAN8

2007-09-18 19:45 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys

2007-09-17 21:58 <DIR> d-------- C:\DOCUME~1\bin\.housecall6.6

2007-09-17 07:52 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-09-17 03:41 <DIR> d-------- C:\DOCUME~1\bin\WINDOWS

2007-09-17 03:24 <DIR> d-------- C:\Program Files\Microsoft Works

2007-09-17 03:23 <DIR> d-------- C:\Program Files\Microsoft.NET

2007-09-17 03:22 <DIR> d-------- C:\WINDOWS\SHELLNEW

2007-09-17 03:21 <DIR> dr-h----- C:\MSOCache

2007-09-17 03:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help

2007-09-17 00:44 <DIR> d-------- C:\WINDOWS\SxsCaPendDel

2007-09-13 08:22 313,344 --a------ C:\hjsplit.exe

2007-09-13 08:16 <DIR> d-------- C:\Program Files\MagicISO

2007-09-10 02:47 <DIR> d-------- C:\Program Files\Monkey's Audio

2007-09-04 09:15 221,184 --a------ C:\WINDOWS\system32\wmpns.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-09-19 16:36 7146528 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat

2007-09-19 16:36 702240 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat

2007-09-19 16:35 97784 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx

2007-09-19 16:35 67928 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx

2007-09-19 13:33 --------- d-------- C:\Program Files\Warcraft III

2007-09-19 11:24 --------- d-------- C:\DOCUME~1\bin\APPLIC~1\MegauploadToolbar

2007-09-17 03:40 --------- d-------- C:\Program Files\Microsoft IntelliPoint

2007-09-17 03:36 --------- d-------- C:\Program Files\mIRC

2007-09-17 03:36 --------- d-------- C:\Program Files\Azureus

2007-09-17 03:35 --------- d-------- C:\DOCUME~1\bin\APPLIC~1\Azureus

2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys

2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys

2007-07-31 18:15 --------- d-------- C:\Program Files\MegauploadToolbar

2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll

2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll

2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe

2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll

2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll

2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll

2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll

2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll

2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll

2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll

.

 

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

---- Directory of C:\DOCUME~1\bin\WINDOWS ----

 

2007-09-17 03:41 582 --a------ C:\DOCUME~1\bin\WINDOWS\win.ini

 

 

((((((((((((((((((((((((((((( snapshot_2007-09-19_111139.43 )))))))))))))))))))))))))))))))))))))))))

.

---h--w 4,212 2007-09-19 23:36:46 C:\WINDOWS\system32\zllictbl.dat

----a-w 5,600,151 2007-09-19 19:00:44 C:\WINDOWS\system32\ZoneLabs\spyware.dat

----a-w 3,215,360 2007-09-19 23:35:09 C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat

----a-w 879,632 2007-09-19 23:36:22 C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat

.

---h--w 4,212 2007-09-19 18:02:35 C:\WINDOWS\system32\zllictbl.dat

----a-w 5,414,049 2007-09-07 04:41:16 C:\WINDOWS\system32\ZoneLabs\spyware.dat

----a-w 3,153,408 2007-09-19 04:19:48 C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat

----a-w 880,864 2007-09-19 18:01:56 C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 02:21 C:\WINDOWS\RTHDCPL.exe]

"SkyTel"="SkyTel.EXE" [2006-05-16 03:04 C:\WINDOWS\SkyTel.exe]

"JMB36X IDE Setup"="C:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 05:44]

"JMB36X Configure"="C:\WINDOWS\system32\JMRaidSetup.exe" [2006-10-30 05:44]

"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 16:14]

"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 16:15]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 05:00]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-04-19 23:34]

"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]

 

C:\DOCUME~1\bin\STARTM~1\Programs\Startup\

Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-04-24 15:00:12]

 

R0 JGOGO;JMicron Hot-Plug Driver;C:\WINDOWS\system32\DRIVERS\JGOGO.sys

R0 JRAID;JRAID;C:\WINDOWS\system32\DRIVERS\jraid.sys

R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINDOWS\system32\DRIVERS\point32.sys

S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys

 

.

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-09-19 16:36:55

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2007-09-19 16:38:50 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-09-19 16:38

C:\ComboFix2.txt ... 2007-09-19 11:11

.

--- E O F ---

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:39:42 PM, on 9/19/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe

C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\Webshots\Webshots.scr

C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe

O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidSetup.exe boot

O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM

O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1177030191437

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

--

End of file - 6583 bytes

Share this post


Link to post
Share on other sites

Hi,

 

Delete the C:\Qoobox folder

 

Since you have no Antivirus installed..

 

* Please install Avira Antivirus: http://www.free-av.com/

 

Perform a full scan with Avira and let it delete everything it is finding.

Then reboot.

After reboot, open your Avira and select "reports".

There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.

Share this post


Link to post
Share on other sites

HI,

I have an antivirus from Zonealarm. Does that count?...Anyways, I deleted C:\Qoobox and downloaded Avira Antivirus per your instructions. Here is the report file....Btw, thank you very much for helping me.

 

AntiVir PersonalEdition Classic

Report file date: Thursday, September 20, 2007 10:28

 

Scanning for 1076738 virus strains and unwanted programs.

 

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 2) [5.1.2600]

Username: bin

Computer name: BINCOMP-B8DE739

 

Version information:

BUILD.DAT : 268 15604 Bytes 8/31/2007 13:04:00

AVSCAN.EXE : 7.0.6.1 290856 Bytes 9/20/2007 17:24:02

AVSCAN.DLL : 7.0.6.0 49192 Bytes 9/20/2007 17:24:02

LUKE.DLL : 7.0.5.3 147496 Bytes 9/20/2007 17:24:03

LUKERES.DLL : 7.0.6.1 10280 Bytes 9/20/2007 17:24:03

ANTIVIR0.VDF : 6.35.0.1 7371264 Bytes 5/31/2006 22:08:58

ANTIVIR1.VDF : 6.39.0.129 7251968 Bytes 7/10/2007 17:24:05

ANTIVIR2.VDF : 6.39.1.120 1918464 Bytes 9/12/2007 17:24:06

ANTIVIR3.VDF : 6.39.1.159 193024 Bytes 9/20/2007 17:24:06

AVEWIN32.DLL : 7.6.0.15 2806272 Bytes 9/20/2007 17:24:06

AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 18:36:26

AVPREF.DLL : 7.0.2.2 25640 Bytes 9/20/2007 17:24:02

AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 21:16:24

AVPACK32.DLL : 7.3.0.15 360488 Bytes 9/20/2007 17:24:06

AVREG.DLL : 7.0.1.6 30760 Bytes 9/20/2007 17:24:02

AVARKT.DLL : 1.0.0.20 278568 Bytes 9/20/2007 17:24:02

AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 9/20/2007 17:24:02

NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 19:09:42

RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 9/20/2007 17:23:55

RCTEXT.DLL : 7.0.62.0 86056 Bytes 9/20/2007 17:23:55

SQLITE3.DLL : 3.3.17.1 339968 Bytes 9/20/2007 17:24:03

 

Configuration settings for the scan:

Jobname..........................: Local Drives

Configuration file...............: c:\program files\antivir personaledition classic\alldrives.avp

Logging..........................: low

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: off

Scan boot sector.................: on

Boot sectors.....................: E:,

Scan memory......................: on

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: off

Scan all files...................: Intelligent file selection

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: medium

 

Start of the scan: Thursday, September 20, 2007 10:28

 

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'firefox.exe' - '1' Module(s) have been scanned

Scan process 'mantispm.exe' - '1' Module(s) have been scanned

Scan process 'Webshots.scr' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'zlclient.exe' - '0' Module(s) have been scanned

Scan process 'jusched.exe' - '1' Module(s) have been scanned

Scan process 'ipoint.exe' - '1' Module(s) have been scanned

Scan process 'itype.exe' - '1' Module(s) have been scanned

Scan process 'RTHDCPL.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'Monitor.exe' - '0' Module(s) have been scanned

Scan process 'ScanningProcess.exe' - '0' Module(s) have been scanned

Scan process 'ScanningProcess.exe' - '0' Module(s) have been scanned

Scan process 'aawservice.exe' - '1' Module(s) have been scanned

Scan process 'vsmon.exe' - '0' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

30 processes with 30 modules were scanned

 

Start scanning boot sectors:

Boot sector 'C:\'

[NOTE] No virus was found!

Boot sector 'D:\'

[NOTE] No virus was found!

Boot sector 'F:\'

[NOTE] No virus was found!

Boot sector 'A:\'

[NOTE] In the drive 'A:\' no data medium is inserted!

 

Starting to scan the registry.

The registry was scanned ( '31' files ).

 

 

Starting the file scan:

 

Begin scan in 'C:\'

C:\pagefile.sys

[WARNING] The file could not be opened!

C:\Documents and Settings\bin\.housecall6.6\Quarantine\win1EB.tmp.exe.bac_a02012

[DETECTION] Contains detection pattern of the dropper DR/Dldr.PurityScan.EG.7

[iNFO] The file was deleted!

C:\RECYCLER\S-1-5-21-1004336348-2025429265-725345543-1003\Dc2\Quarantine\catchme2007-09-17_ 75850.85.zip

[0] Archive type: ZIP

--> xpdx.sys

[DETECTION] Is the Trojan horse TR/Rootkit.Gen

[iNFO] The file was deleted!

Begin scan in 'D:\' <DSK1_VOL2>

D:\Azureus Downloads\Microsoft Office 2007.zip

[0] Archive type: ZIP

--> Keygen.exe

[DETECTION] Contains detection pattern of the worm WORM/Rbot.314880.1

[iNFO] The file was deleted!

Begin scan in 'F:\' <My Book>

Begin scan in 'A:\'

Search path A:\ could not be opened!

The device is not ready.

 

Begin scan in 'E:\' <TheFrozenThrone>

 

 

End of the scan: Thursday, September 20, 2007 12:06

Used time: 1:37:36 min

 

The scan has been done completely.

 

3459 Scanning directories

251781 Files were scanned

3 viruses and/or unwanted programs were found

0 Files were classified as suspicious:

3 files were deleted

0 files were repaired

0 files were moved to quarantine

0 files were renamed

1 Files cannot be scanned

251778 Files not concerned

1538 Archives were scanned

1 Warnings

45 Notes

Share this post


Link to post
Share on other sites

Hi,

 

Basically, Zonealarm is a Firewall, but there's also a version with an Antivirus present - but that version is not for free.

So not sure here if you purchased Zonealarm or not. In case you're using the trial, once the trial has expired, you won't be able to update anymore and the Antirus won't protect you either.

That's the advantage of Avira - it's for free and never expires.

 

Anyway, I see that Avira removed the leftovers.

 

Note.. I see Avira flagged this:

 

D:\Azureus Downloads\Microsoft Office 2007.zip

[0] Archive type: ZIP

--> Keygen.exe

[DETECTION] Contains detection pattern of the worm WORM/Rbot.314880.1

I see you're not afraid of visiting cracksites, downloading cracks via P2P...

If you visit cracksites, download cracks, use cracks, you'll ALWAYS get infected. This not only because of the crack itself, but because one single click entering that site may already download and install a huge malware bundle. Also these so called cracks are in most cases malware - as in above case, it was a Worm/Rbot.

You really have to change your surfing habits though, because these malware bundles may contain a keylogger, collecting all your passwords and installing other random malware, compromising your system including infecting other computers. And this all, because you visited some illegal sites.

Also, keep in mind, malware DAMAGES A LOT! And the damage can't always be repaired, so a format and reinstall is the only solution in such cases.

So is it really worth it? Get illegal software for "free", but compromise/break your computer instead.... :)

Better to avoid this instead and change your surfing habits. Then this wouldn't have happened.

 

Also, please change all your passwords, because they are currently known.

 

Anyway,

How are things running now?

Share this post


Link to post
Share on other sites

Hi,

The computer is running great. I ran another complete scan with Avira Antivrus. Here is the log. Again, I thank you very much for help and I promise to change my surfing habits.

 

 

 

AntiVir PersonalEdition Classic

Report file date: Thursday, September 20, 2007 12:33

 

Scanning for 1076738 virus strains and unwanted programs.

 

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 2) [5.1.2600]

Username: SYSTEM

Computer name: BINCOMP-B8DE739

 

Version information:

BUILD.DAT : 268 15604 Bytes 8/31/2007 13:04:00

AVSCAN.EXE : 7.0.6.1 290856 Bytes 9/20/2007 17:24:02

AVSCAN.DLL : 7.0.6.0 49192 Bytes 9/20/2007 17:24:02

LUKE.DLL : 7.0.5.3 147496 Bytes 9/20/2007 17:24:03

LUKERES.DLL : 7.0.6.1 10280 Bytes 9/20/2007 17:24:03

ANTIVIR0.VDF : 6.35.0.1 7371264 Bytes 5/31/2006 22:08:58

ANTIVIR1.VDF : 6.39.0.129 7251968 Bytes 7/10/2007 17:24:05

ANTIVIR2.VDF : 6.39.1.120 1918464 Bytes 9/12/2007 17:24:06

ANTIVIR3.VDF : 6.39.1.159 193024 Bytes 9/20/2007 17:24:06

AVEWIN32.DLL : 7.6.0.15 2806272 Bytes 9/20/2007 17:24:06

AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 18:36:26

AVPREF.DLL : 7.0.2.2 25640 Bytes 9/20/2007 17:24:02

AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 21:16:24

AVPACK32.DLL : 7.3.0.15 360488 Bytes 9/20/2007 17:24:06

AVREG.DLL : 7.0.1.6 30760 Bytes 9/20/2007 17:24:02

AVARKT.DLL : 1.0.0.20 278568 Bytes 9/20/2007 17:24:02

AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 9/20/2007 17:24:02

NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 19:09:42

RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 9/20/2007 17:23:55

RCTEXT.DLL : 7.0.62.0 86056 Bytes 9/20/2007 17:23:55

SQLITE3.DLL : 3.3.17.1 339968 Bytes 9/20/2007 17:24:03

 

Configuration settings for the scan:

Jobname..........................: Complete system scan

Configuration file...............: c:\program files\antivir personaledition classic\sysscan.avp

Logging..........................: low

Primary action...................: delete

Secondary action.................: ignore

Scan master boot sector..........: off

Scan boot sector.................: on

Boot sectors.....................: F:,

Scan memory......................: on

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: off

Scan all files...................: Intelligent file selection

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: medium

 

Start of the scan: Thursday, September 20, 2007 12:33

 

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'firefox.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'wuauclt.exe' - '1' Module(s) have been scanned

Scan process 'mantispm.exe' - '1' Module(s) have been scanned

Scan process 'Webshots.scr' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'zlclient.exe' - '0' Module(s) have been scanned

Scan process 'jusched.exe' - '1' Module(s) have been scanned

Scan process 'ipoint.exe' - '1' Module(s) have been scanned

Scan process 'itype.exe' - '1' Module(s) have been scanned

Scan process 'RTHDCPL.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'Monitor.exe' - '0' Module(s) have been scanned

Scan process 'ScanningProcess.exe' - '0' Module(s) have been scanned

Scan process 'ScanningProcess.exe' - '0' Module(s) have been scanned

Scan process 'aawservice.exe' - '1' Module(s) have been scanned

Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned

Scan process 'vsmon.exe' - '0' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

31 processes with 31 modules were scanned

 

Start scanning boot sectors:

Boot sector 'C:\'

[NOTE] No virus was found!

Boot sector 'D:\'

[NOTE] No virus was found!

Boot sector 'F:\'

[NOTE] No virus was found!

 

Starting to scan the registry.

The registry was scanned ( '24' files ).

 

 

Starting the file scan:

 

Begin scan in 'C:\'

C:\pagefile.sys

[WARNING] The file could not be opened!

C:\System Volume Information\_restore{02E87D6B-D0DD-4537-8D95-6F2E6AD38602}\RP77\A0031568.exe

[DETECTION] Contains detection pattern of the worm WORM/Rbot.314880.1

[iNFO] The file was deleted!

C:\System Volume Information\_restore{02E87D6B-D0DD-4537-8D95-6F2E6AD38602}\RP77\A0031569.exe

[DETECTION] Contains detection pattern of the worm WORM/Rbot.314880.1

[iNFO] The file was deleted!

C:\System Volume Information\_restore{02E87D6B-D0DD-4537-8D95-6F2E6AD38602}\RP77\A0031571.exe

[0] Archive type: RAR SFX (self extracting)

--> keygen.exe

[DETECTION] Is the Trojan horse TR/Vundo.Gen

--> patch.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

--> crack.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

--> install.exe

[DETECTION] Is the Trojan horse TR/Dldr.Agent.crb

--> RUNME.bat

[DETECTION] Contains detection pattern of the batch virus BAT/ConHook.Z

[iNFO] The file was deleted!

C:\System Volume Information\_restore{02E87D6B-D0DD-4537-8D95-6F2E6AD38602}\RP77\A0031574.exe

[DETECTION] Is the Trojan horse TR/Vundo.Gen

[iNFO] The file was deleted!

C:\System Volume Information\_restore{02E87D6B-D0DD-4537-8D95-6F2E6AD38602}\RP79\A0035794.exe

[0] Archive type: RAR SFX (self extracting)

--> setpath.cfexe

[DETECTION] Contains suspicious code HEUR/Malware

[iNFO] The file was deleted!

C:\System Volume Information\_restore{02E87D6B-D0DD-4537-8D95-6F2E6AD38602}\RP83\A0036375.exe

[WARNING] The file could not be opened!

C:\System Volume Information\_restore{02E87D6B-D0DD-4537-8D95-6F2E6AD38602}\RP84\A0036575.exe

[0] Archive type: RAR SFX (self extracting)

--> setpath.cfexe

[DETECTION] Contains suspicious code HEUR/Malware

[iNFO] The file was deleted!

Begin scan in 'D:\' <DSK1_VOL2>

Begin scan in 'F:\' <My Book>

 

 

End of the scan: Thursday, September 20, 2007 14:42

Used time: 2:08:26 min

 

The scan has been done completely.

 

3449 Scanning directories

277331 Files were scanned

8 viruses and/or unwanted programs were found

2 Files were classified as suspicious:

6 files were deleted

0 files were repaired

0 files were moved to quarantine

0 files were renamed

2 Files cannot be scanned

277323 Files not concerned

1484 Archives were scanned

2 Warnings

45 Notes

Edited by fat32

Share this post


Link to post
Share on other sites

Hi,

 

What was found is in your System Restore points. When your system makes a "snapshot", a system restore point - when you were infected, the malware related files will also be a part of that system restore point.

They cannot do anything there, unless you select System Restore and restore it to the date when the malware was still present.

Anyway, Avira deleted them from there as well.

 

Glad to hear everything is running OK again.

 

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

 

Happy Surfing again!

Share this post


Link to post
Share on other sites

Hi,

Thank you very much for helping me restore my computer. I will definitely use your prevention tips and change my bad surfing habits. This forum is great and you are great. Again, I thank you sincerely. Have a great day, week, month, year, life ! :)

Share this post


Link to post
Share on other sites

You're most welcome :)

Share this post


Link to post
Share on other sites

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0