 Hijack this log -- please help |
Forum Rules
Greetings,
Before you post in this forum,please read and follow the instructions in this post: Guidelines for Posting in This Forum
Failure to follow these instructions will only result in delays of the cleaning and removal process.
If you ran other AntiVirus and/or AntiSpyware programs and have the logs available, please post them as well.
Our goal is to help you clean your PC and restore it to pre-infection condition wherever possible.
Thank You
  |
 Oct 15 2005, 09:23 PM
Post
#1
|
|
|
New Member  Group: Member Posts: 5 Joined: 15-October 05 Member No.: 16605  |
Mcafee shield keeps crashing and I keep getting redirected to WinAnitVirus pro website.
Logfile of HijackThis v1.99.1 Scan saved at 9:55:01 a.m., on 16/10/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\WINDOWS\System32\sdpasvc.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\soundman.exe C:\Program Files\Common Files\Nokia\Tools\NclTray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe C:\PROGRA~1\PESTPA~1\PPControl.exe C:\PROGRA~1\PESTPA~1\PPMemCheck.exe C:\PROGRA~1\PESTPA~1\CookiePatrol.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\McAfee.com\Agent\mcagent.exe c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe c:\progra~1\mcafee.com\vso\mcvsftsn.exe C:\PROGRA~1\PESTPA~1\pestpatrol.exe C:\Documents and Settings\Margo Wilson\Desktop\HijackThis.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\Program Files\Grisoft\AVG Free\avgcc.exe C:\Program Files\Grisoft\AVG Free\avgemc.exe C:\Program Files\Grisoft\AVG Free\avgwb.dat O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\urstr.dll O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\System32\rqomj.dll O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL (file missing) O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [SoundMan] soundman.exe O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\Tools\NclTray.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O20 - Winlogon Notify: rqomj - C:\WINDOWS\System32\rqomj.dll O20 - Winlogon Notify: urstr - C:\WINDOWS\SYSTEM32\urstr.dll O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\System32\sdpasvc.exe O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe (file missing) O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe |
 |
|
|
Oct 15 2005, 10:51 PM
Post
#2
|
|
 Master of Disaster Recovery  Group: General Admin Posts: 15208 Joined: 24-March 03 From: Albuquerque, NM Member No.: 2879 |
First:
You have two AntiVirus products running at the same time (McAfee, AVG). To avoid system slowdown and possible corruption, only one should be providing real time protection. Either stop, or remove one of the two. Second: Open a Command Prompt Window (Start -> Run -> cmd) Enter the following commands: (then press 'Enter') sc stop SMSC sc delete SMSC exit Third: Please print these instructions out for use in Safe Mode. Please download VundoFix.exe to your desktop.
QUOTE Please type in the second filepath as instructed by the forum staff Then Press Enter, Then F6, Then Enter Again to continue with the fix.
This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL (file missing) O20 - Winlogon Notify: rqomj - C:\WINDOWS\System32\rqomj.dll Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following (Make sure nothing else is checked!):
Press the CleanUp! button to start the program. It may ask you to reboot at the end, click NO. Then, please run this online virus scan: ActiveScan Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic. --------------------  Happiness ain't a thing in itself--it's only a contrast with something that ain't pleasant. Mark Twain |
|
|
|
|
Oct 16 2005, 02:29 AM
Post
#3
|
|
|
New Member Group: Member Posts: 5 Joined: 15-October 05 Member No.: 16605 |
ActiveScan
Incident Status Location Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\urstr.dll Adware:adware/wupd No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\ActiveX.inf Adware:adware/blazefind No disinfected C:\WINDOWS\Key2.txt Adware:adware/twain-tech No disinfected C:\WINDOWS\satmat.ini Adware:adware/fastfind No disinfected Windows Registry Spyware:Spyware/Virtumonde No disinfected C:\Documents and Settings\Margo Wilson\Desktop\backups\backup-20051016-094309-973.dll Spyware:Spyware/Virtumonde No disinfected C:\Documents and Settings\Margo Wilson\Desktop\backups\backup-20051016-094336-704.dll Virus:Eicar.Mod No disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html] Spyware:Spyware/BetterInet No disinfected C:\Program Files\PestPatrol\Quarantine\20051022151704.zip[satmat.inf] Spyware:Spyware/Virtumonde No disinfected C:\root.zip[ws2.exe][is.exe] Spyware:Spyware/Virtumonde No disinfected C:\root.zip[ws.exe][is.exe] Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\ActiveX.inf Adware:Adware/WinTools No disinfected C:\WINDOWS\Key2.txt Adware:Adware/IPInsight No disinfected C:\WINDOWS\satmat.ini Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\awtts.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\awvsq.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\byxvv.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\byxwt.dll Virus:W32/Sasser.ftp Disinfected C:\WINDOWS\system32\cmd.ftp Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\ddcaa.dll Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\Copy of hosts Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\fccby.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\fccdb.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\fcyay.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\hgdcc.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\hgdde.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\hgghg.dll Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\system32\i Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\iifda.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\jkkhf.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\ljjjj.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\mljii.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\mljkl.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\nnlif.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\qomjg.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\qomkj.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\qopmk.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\rqrom.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\rqrsr.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\sstrs.dll Virus:W32/Gaobot.AFN.worm Disinfected C:\WINDOWS\system32\TFTP1036 Virus:W32/Gaobot.BFD.worm Disinfected C:\WINDOWS\system32\TFTP2028 Virus:W32/Gaobot.ALK.worm Disinfected C:\WINDOWS\system32\TFTP2992 Virus:W32/Gaobot.AFN.worm Disinfected C:\WINDOWS\system32\TFTP3740 Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\tuvur.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\urstr.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\urstt.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\wvwur.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\wvwwv.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\xxwxx.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\xxyaa.dll Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\system32\y Logfile of HijackThis v1.99.1 Scan saved at 3:28:08 p.m., on 16/10/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\System32\sdpasvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\soundman.exe C:\Program Files\Common Files\Nokia\Tools\NclTray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\PESTPA~1\PPControl.exe C:\PROGRA~1\PESTPA~1\PPMemCheck.exe C:\PROGRA~1\PESTPA~1\CookiePatrol.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Caine\Desktop\HijackThis.exe O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\urstr.dll O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SoundMan] soundman.exe O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\Tools\NclTray.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O20 - Winlogon Notify: urstr - C:\WINDOWS\SYSTEM32\urstr.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\System32\sdpasvc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peaco*k@beyondlogic.org Suspending PID 120 'smss.exe' Threads [124][128][132] Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peaco*k@beyondlogic.org Killing PID 744 'explorer.exe' Killing PID 744 'explorer.exe' Killing PID 744 'explorer.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peaco*k@beyondlogic.org Error, Cannot find a process with an image name of rundll32.exe Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peaco*k@beyondlogic.org Killing PID 192 'winlogon.exe' File Deleted sucessfully. Files Deleted sucessfully. |
|
|
|
|
Oct 16 2005, 03:27 AM
Post
#4
|
|
|
Master of Disaster Recovery Group: General Admin Posts: 15208 Joined: 24-March 03 From: Albuquerque, NM Member No.: 2879 |
Please print these instructions out for use in Safe Mode.
Please download VundoFix.exe to your desktop.
QUOTE Please type in the second filepath as instructed by the forum staff Then Press Enter, Then F6, Then Enter Again to continue with the fix.
This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
O20 - Winlogon Notify: urstr - C:\WINDOWS\SYSTEM32\urstr.dll Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following (Make sure nothing else is checked!):
Press the CleanUp! button to start the program. It may ask you to reboot at the end, click NO. Then, please run this online virus scan: ActiveScan Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic. -------------------- Happiness ain't a thing in itself--it's only a contrast with something that ain't pleasant. Mark Twain |
|
|
|
|
Oct 16 2005, 04:28 AM
Post
#5
|
|
|
New Member Group: Member Posts: 5 Joined: 15-October 05 Member No.: 16605 |
Incident Status Location
Adware:adware/wupd No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\ActiveX.inf Adware:adware/blazefind No disinfected C:\WINDOWS\Key2.txt Adware:adware/twain-tech No disinfected C:\WINDOWS\satmat.ini Adware:adware/fastfind No disinfected Windows Registry Spyware:Spyware/Virtumonde No disinfected C:\Documents and Settings\Margo Wilson\Desktop\backups\backup-20051016-094309-973.dll Spyware:Spyware/Virtumonde No disinfected C:\Documents and Settings\Margo Wilson\Desktop\backups\backup-20051016-094336-704.dll Virus:Eicar.Mod No disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html] Spyware:Spyware/BetterInet No disinfected C:\Program Files\PestPatrol\Quarantine\20051022151704.zip[satmat.inf] Spyware:Spyware/Virtumonde No disinfected C:\root.zip[ws2.exe][is.exe] Spyware:Spyware/Virtumonde No disinfected C:\root.zip[ws.exe][is.exe] Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\ActiveX.inf Adware:Adware/WinTools No disinfected C:\WINDOWS\Key2.txt Adware:Adware/IPInsight No disinfected C:\WINDOWS\satmat.ini Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\awtts.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\awvsq.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\byxvv.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\byxwt.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\ddcaa.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\fccby.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\fccdb.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\fcyay.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\hgdcc.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\hgdde.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\hgghg.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\iifda.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\jkkhf.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\ljjjj.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\mljii.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\mljkl.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\nnlif.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\qomjg.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\qomkj.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\qopmk.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\rqrom.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\rqrsr.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\sstrs.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\tuvur.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\urstt.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\wvwur.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\wvwwv.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\xxwxx.dll Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\xxyaa.dll Logfile of HijackThis v1.99.1 Scan saved at 5:26:10 p.m., on 16/10/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\soundman.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Common Files\Nokia\Tools\NclTray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\PROGRA~1\PESTPA~1\PPControl.exe C:\PROGRA~1\PESTPA~1\PPMemCheck.exe C:\PROGRA~1\PESTPA~1\CookiePatrol.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\sdpasvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Caine\Desktop\HijackThis.exe O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SoundMan] soundman.exe O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\Tools\NclTray.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\System32\sdpasvc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peaco*k@beyondlogic.org Suspending PID 120 'smss.exe' Threads [124][128][132] Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peaco*k@beyondlogic.org Killing PID 724 'explorer.exe' Killing PID 724 'explorer.exe' Killing PID 724 'explorer.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peaco*k@beyondlogic.org Error, Cannot find a process with an image name of rundll32.exe Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peaco*k@beyondlogic.org Killing PID 192 'winlogon.exe' File Deleted sucessfully. Files Deleted sucessfully. |
|
|
|
|
Oct 16 2005, 04:32 AM
Post
#6
|
|
|
Master of Disaster Recovery Group: General Admin Posts: 15208 Joined: 24-March 03 From: Albuquerque, NM Member No.: 2879 |
That looks good, but the first log shows some items not removed by the AV. Virtumonde is gone, but lets be sure there is nothing else straggling behind.
Please download, install, and update the free version of Ewido Security Suite: http://www.ewido.net/en/download/ [1]From the main ewido screen, click on update in the left menu, then click the Start update button. [2]After the update finishes (the status bar at the bottom will display "Update successful") Close the program after updating (don't scan with it yet, we'll do that in SAFE MODE) Copy the following instructions to have handy as you will need to be offline, in SAFE MODE and with IE closed so you will not be able to view this page during the process. Reboot your PC into SAFE MODE How to start the computer in Safe mode http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam Next, run a scan with Ewido. [3]Click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so please be patient [4]If Ewido finds anything, it will pop up a notification. You can select "remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK. [5]When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again. Copy and paste the results from that scan back here please for review :) *Note: Ewido is a free trial product for 14 days. After that you can purchase it for full features OR you can also keep the free version to use as an on-demand scanner (recommended). You will still be able to manually update Ewido using the *update* button :) -------------------- Happiness ain't a thing in itself--it's only a contrast with something that ain't pleasant. Mark Twain |
|
|
|
|
Oct 16 2005, 06:05 AM
Post
#7
|
|
|
New Member Group: Member Posts: 5 Joined: 15-October 05 Member No.: 16605 |
---------------------------------------------------------
ewido security suite - Scan report --------------------------------------------------------- + Created on: 6:58:53 p.m., 16/10/2005 + Report-Checksum: 7ED291AD + Scan result: HKLM\SOFTWARE\Classes\Interface\{A42C0EF4-1C76-43CC-989F-EADC7E4B755D} -> Spyware.VX2 : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{A42C0EF4-1C76-43CC-989F-EADC7E4B755D}\TypeLib\\ -> Spyware.VX2 : Cleaned with backup HKLM\SOFTWARE\Classes\Setup.Setup1\Clsid\\ -> Spyware.FastFind : Cleaned with backup HKU\.DEFAULT\Software\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC} -> Spyware.MyWay : Cleaned with backup HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup HKU\.DEFAULT\Software\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup HKU\S-1-5-18\Software\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC} -> Spyware.MyWay : Error during cleaning HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup HKU\S-1-5-18\Software\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup C:\Program Files\MyWay\myBar\2.bin\MYWAYPLUGINPROXY.CLASS -> Spyware.MyWay : Cleaned with backup C:\Program Files\ZDF\mmxrx2.exe -> TrojanDownloader.VB.jl : Cleaned with backup C:\Program Files\ZDF\rawr.exe -> Trojan.LowZones.g : Cleaned with backup ::Report End |
|
|
|
|
Oct 16 2005, 06:34 AM
Post
#8
|
|
|
Master of Disaster Recovery Group: General Admin Posts: 15208 Joined: 24-March 03 From: Albuquerque, NM Member No.: 2879 |
Thanks,
THat will leave you clean! At last, your system is clean and free of spyware! Want to keep it that way? Here are some simple steps you can take to reduce the chance of infection in the future. 1. Visit Windows Update: Make sure that you have all the Critical Updates recommended for your operating system and Internet Explorer. This includes SP1 and SP2 if you use Windows XP. The first defense against infection is a properly patched Operating System. a. Windows Update: http://windowsupdate.microsoft.com/ If you have Word, Excel, Outlook or other Office programs installed. Consider using Microsoft Update instead of Windows Update. See the FAQ page here for more information: http://update.microsoft.com/microsoftupdat...t.aspx?ln=en-us Also, download and install Microsoft Baseline Analyzer.(Note that MBSA is only for Win 2000 SP3 or later and Office XP or later) When run, it will check system for security exposures, including missing updates. I suggest running it weekly. You can obtain more information here: http://www.microsoft.com/technet/security/...s/mbsahome.mspx 2. Adjust your security settings for ActiveX: Select Internet Options from the Control Panels, or from Internet Explorer (Tools -> Internet Options) Press 'default level', then OK Now press "Custom Level." In the ActiveX controls and plug-ins section set these options: 'Download signed ActiveX controls' - Prompt 'Download unsigned ActiveX controls' - Disable 'Initialize and script ActiveX controls not maked as safe'- Disable All other options accept the default For Windows XP2 SP2 users, check this link for additional steps you can take to secure Internet Explorer: http://www.microsoft.com/technet/security/...xp/iesecxp.mspx Also,for Sp2 SP2 and IE users, in IE, Tools -> Manage Add-ons will give you a list of all BHO's, Extensions, and ActiveX modules installed on your computer. You can update, enable or disable them. 3. Download and install the following free programs a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html b. IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm c. BHODemon: http://www.definitivesolutions.com/bhodemon.htm 4. Install Spyware Detection and Removal Programs: You may also want to consider installing one (or more) of the following: a. Microsoft AntiSpyware: http://www.microsoft.com/athome/security/s...re/default.mspx NOTE: MS AntiSpyware only runs on Windows 2000, XP, and 2003. b. Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download c. AdAware Personal: http://www.lavasoft.de/ Use these programs to regularly scan your system for and remove many forms of spyware/malware. I recommend a combination of Microsoft Spyware and TeaTimer from Spybot S&D. If you use, or plan on using, additional spyware/malware detection and/or removal programs, please check Items 8 and 9. 5. Install 'Spoofstick" Spoofstick is a simple browser extension that helps users detect spoofed (fake) websites. This extension is free and installs in Internet Explorer and Mozilla Firefox. a. http://www.corestreet.com/spoofstick 6. Reset System Restore If you are using Windows ME or Windows XP, please reset your System Restore. See Windows help for information. 7. Clean Temporary Files and Folders Download and install the disk cleanup utility called Cleanup! from here: http://cleanup.stevengould.org/ http://www.hijackthislogs.com/dl/CleanUp312.exe Cleanup! will get rid of any malware which may be hiding in your temp folders (a common hiding place). You may also regain a massive amount of disk space. Here is a tutorial which describes its usage: http://www.bleepingcomputer.com/forums/tutorial93.html Run the disk cleanup utility called Cleanup! that you have already downloaded and installed Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin. Then reboot into normal mode to let it clean out the remaining files. 8. Rogue/Suspect Anti-Spyware Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link: http://www.spywarewarrior.com/rogue_anti-spyware.htm 9. Anti-Spyware Programs Compared Want to know just how effective your anti-spyware program is? Wonder how well any of the "rogue" programs listed above work? Check this link for an independent comparison of several anti-spyware programs: http://www.spywarewarrior.com/asw-test-guide.htm 10. Alternate Browser Consider using an alternate browser as your default. I recommend and use Firefox as my primary browser. It is still necessary to keep Internet Explorer current and protected in order to use Windows Update. For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiator-antivirus.com/index...?showtopic=9857 "It is your responsibility to read and adhere to the End User Licensing Agreement (EULA) of all software and services mentioned." Good luck, and thanks for coming to our forums for help with your security and malware issues. -------------------- Happiness ain't a thing in itself--it's only a contrast with something that ain't pleasant. Mark Twain |
|
|
|
|
Oct 16 2005, 06:53 AM
Post
#9
|
|
|
New Member Group: Member Posts: 5 Joined: 15-October 05 Member No.: 16605 |
Thanks so much for your help
|
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 22nd November 2009 - 02:26 AM |
