Hijacker: Personal antivirus is driving me nuts...I've posted my log. Help please.

fatbasta · 06-30-2009, 12:31 PM

Hijacker keeps taking me to "personal Antivirus" site and it's driving me nuts.
Here's my log... any help would be appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:54 AM, on 6/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\VPNremote for Windows XP\AvVpnService.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\System32\enstart.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Avaya\ATA\ATALauncher.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Avaya\ATA\ATA.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\ccchelp\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://associate.avaya.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://associate.avaya.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = co.proxy.avaya.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.avaya.com;155.184.*;<local>
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: &Helper - {A77D3539-581D-450C-9E44-A84C415A6172} - C:\WINDOWS\system32\msxmlm.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: AvayaIEHlprObj Class - {E6DF0B46-7D6F-407A-A6A2-62D17A021A9A} - C:\Program Files\Avaya\Avaya IP Softphone\AvayaWebDial.dll
O3 - Toolbar: (no name) - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [wksetup] C:\WINDOWS\system32\wksetup\wksetup.bat
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [PersonalAV] C:\Program Files\PersonalAV\pav.exe
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [McAfee Host Intrusion Prevention Tray] "C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe"
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAuto nomicMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPw rMonitor
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATA] C:\Program Files\Avaya\ATA\ATALauncher.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtim e.dll,_RunDLLEntry@16
O4 - HKLM\..\RunOnce: [NSSInstallation] C:\WINDOWS\system32\Adobe\Shockwave 11\nssstub.exe /RunOnce
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - S-1-5-18 Startup: IMVU.lnk = C:\Documents and Settings\brhill\Application Data\IMVUClient\IMVUClient.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: IMVU.lnk = C:\Documents and Settings\brhill\Application Data\IMVUClient\IMVUClient.exe (User 'Default user')
O4 - Global Startup: Avaya IP Softphone Reset.lnk = C:\Program Files\Avaya\Avaya IP Softphone\IP Service Provider\pwreset.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\brhill\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://itms.avaya.com (HKLM)
O16 - DPF: Concur Expense Applets - https://nxmsp07.eng.avaya.com/expens...cnqr2k4_ie.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...tup1.0.1.1.cab
O16 - DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} (Loader Class v3) - http://tmpctd01.usae.avaya.com/qcbin/Spider90.ocx
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game04.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {C0D2212A-5EF2-44F8-9441-1DB60F128112} (Siebel Option Pack for IE 7.5.3) - http://salestools.avaya.com/sales/16...OptionPack.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://ussrpts.avaya.com/viewer/acti...ivexviewer.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://juniper.net/dana-cached/setu...erSetupSP1.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://juniper.net/dana-cached/sc/J...etupClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = global.avaya.com
O17 - HKLM\Software\..\Telephony: DomainName = global.avaya.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C75BBF9-A140-44D9-84AB-F283B4CA2F42}: Domain = avaya.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{97995E44-E87F-4334-AB79-1BF9C27B9A86}: Domain = avaya.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = global.avaya.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = avaya.com,sd.avaya.com,eng.avaya.com,bcs.avaya.com ,usae.avaya.com,usaw.avaya.com,global.avaya.com,ap ac.avaya.com,cnda.avaya.com,cala.avaya.com,emea.av aya.com,ecs.avaya.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{3C75BBF9-A140-44D9-84AB-F283B4CA2F42}: Domain = avaya.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = global.avaya.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = avaya.com,sd.avaya.com,eng.avaya.com,bcs.avaya.com ,usae.avaya.com,usaw.avaya.com,global.avaya.com,ap ac.avaya.com,cnda.avaya.com,cala.avaya.com,emea.av aya.com,ecs.avaya.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{3C75BBF9-A140-44D9-84AB-F283B4CA2F42}: Domain = avaya.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = avaya.com,sd.avaya.com,eng.avaya.com,bcs.avaya.com ,usae.avaya.com,usaw.avaya.com,global.avaya.com,ap ac.avaya.com,cnda.avaya.com,cala.avaya.com,emea.av aya.com,ecs.avaya.com
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Avaya VPN Service (AvService) - Unknown owner - C:\Program Files\VPNremote for Windows XP\AvVpnService.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: enstart - Unknown owner - C:\WINDOWS\System32\enstart.exe
O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: McAfee HIPSCore Service (hips) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iClarityQoSService - AVAYA Communication - C:\WINDOWS\System32\QosServM.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: My Web Search Service (MyWebSearchService) - MyWebSearch.com - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe
O23 - Service: OracleDEFAULT_HOME_817ClientCache - Unknown owner - C:\ORAWIN_817\bin\ONRSD.EXE (file missing)
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: SMS Remote Control Agent (Wuser32) - Unknown owner - C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.ex e (file missing)

--
End of file - 16030 bytes

Osiris · 06-30-2009, 12:42 PM

I need you to run combofix and malwarebytes, post both of their logs as well as a new hijackthis log.

Programs can be found in my guide below

fatbasta · 06-30-2009, 01:50 PM

Wow you are quick to respond, Thanks. Here's the other 2 logs you requested.
Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 2

6/30/2009 12:41:24 PM
mbam-log-2009-06-30 (12-41-24).txt

Scan type: Quick Scan
Objects scanned: 111813
Time elapsed: 6 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 89
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\funwebproducts.datacontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillersche duler (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillersche duler.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercon trolbar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercon trolbar.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager. 1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager. 1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutt on (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutt on.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersetting scontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersetting scontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.outlookaddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.outlookaddin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplu gin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplu gin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugi n (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugi n.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin .1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverin staller (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverin staller.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eaa-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eac-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{247a115f-06c2-4fb3-967d-2d62d3cf4f0a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e3537fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720451-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720453-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72ee7f04-15bd-4845-a005-d6711144d86a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d291-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d293-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d295-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d297-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{90449521-d834-4703-bb4e-d3aa44042ff8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{991aac62-b100-47ce-8b75-253965244f69} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bbabdc90-f3d5-4801-863a-ee6ae529862d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d6ff3684-ad3b-48eb-bbb4-b9e6c5a355c1} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25f} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbc9-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbcb-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eb9e5c1c-b1f9-4c2b-be8a-27d6446fdaf8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f87d7fb5-9dc5-4c8c-b998-d8dfe02e2978} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{07b18ea0-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{0d26bc71-a633-4e71-ad31-eadc3a1b6a3a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{29d67d3c-509a-4544-903f-c8c1b8236554} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3e720450-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{7473d290-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8ca01f0e-987c-49c3-b852-2f1ac4a7094c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8e6f1830-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c8cecde3-1ae1-4c4a-ad82-6d5b00212144} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e79dfbc0-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{f42228fb-e84e-479e-b922-fbbd096e792c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\W MPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\MyWebSearch bar Uninstall (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3PopularScreensavers (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

fatbasta · 06-30-2009, 01:53 PM

2nd one...(first half)
ComboFix 09-06-29.07 - ccchelp 06/30/2009 12:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.581 [GMT -5:00]
Running from: c:\documents and settings\ccchelp\Desktop\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: McAfee Host Intrusion Prevention Firewall *enabled* {2F1275E3-2F4F-43E9-944B-3F63F9BDA5F5}
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\brhill\Application Data\FunWebProducts
c:\documents and settings\brhill\Application Data\FunWebProducts\Data\brhill\avatar.dat
c:\documents and settings\brhill\Application Data\FunWebProducts\Data\brhill\register.dat
c:\documents and settings\brhill\Application Data\FunWebProducts\Data\brhill\zbucks.dat
c:\documents and settings\brhill\Local Settings\Temporary Internet Files\ARM2D.tmp
c:\documents and settings\brhill\Local Settings\Temporary Internet Files\image002 (2).jpg
c:\documents and settings\brhill\Local Settings\Temporary Internet Files\image002 (3).jpg
c:\documents and settings\brhill\Local Settings\Temporary Internet Files\image002.jpg
c:\program files\FunWebProducts
c:\program files\FunWebProducts\ScreenSaver\Images\01756599.u rr
c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.h tml
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn .html
c:\program files\FunWebProducts\Shared\Cache\WebfettiBtn.html
c:\program files\Internet Explorer\msimg32.dll
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
c:\program files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\1.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\1.bin\FWPBUDDY.PNG
c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\1.bin\M3HTML.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MSG.DLL
c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSSVC.EXE
c:\program files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Avatar\COMMON\avatar.htm
c:\program files\MyWebSearch\bar\Avatar\COMMON\bgfadel.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\bgfader.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\common-x.css
c:\program files\MyWebSearch\bar\Avatar\COMMON\common.css
c:\program files\MyWebSearch\bar\Avatar\COMMON\cornerbl.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\cornerbr.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\ext_def.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\ext_roll.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\include.js
c:\program files\MyWebSearch\bar\Avatar\COMMON\index.htm
c:\program files\MyWebSearch\bar\Avatar\COMMON\loader.htm
c:\program files\MyWebSearch\bar\Avatar\COMMON\loading.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\logo.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\max_def.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\max_roll.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\min_def.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\min_roll.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\noflash.htm
c:\program files\MyWebSearch\bar\Avatar\COMMON\res_def.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\res_roll.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\spacer.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\spacer.swf
c:\program files\MyWebSearch\bar\Avatar\COMMON\topgrad.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\window.ico
c:\program files\MyWebSearch\bar\Cache\002D7CDE.bin
c:\program files\MyWebSearch\bar\Cache\002D80B3.bin
c:\program files\MyWebSearch\bar\Cache\002D833E
c:\program files\MyWebSearch\bar\Cache\01603907.bin
c:\program files\MyWebSearch\bar\Cache\01603C47.bin
c:\program files\MyWebSearch\bar\Cache\01604094.bin
c:\program files\MyWebSearch\bar\Cache\0160471D.bin
c:\program files\MyWebSearch\bar\Cache\016048F3.bin
c:\program files\MyWebSearch\bar\Cache\files.ini
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\History\search3
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\Settings\setting2.htm
c:\program files\MyWebSearch\bar\Settings\settings.dat
c:\program files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\msxmlm.dll

----- BITS: Possible infected sites -----

hxxp://WUSWESTSMS2.GLOBAL.AVAYA.COM:90
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 )))))))))))))))))))))))))))))))
.

2009-06-30 17:20 . 2009-06-30 17:20 113 ----a-w- c:\windows\system32\api_hook_list.dat
2009-06-30 17:20 . 2008-10-30 20:29 38016 ----a-w- c:\windows\system32\HIPIS0e0118e.dll
2009-06-30 15:39 . 2009-06-30 15:39 -------- d-----w- c:\windows\ERUNT
2009-06-30 15:34 . 2009-06-30 16:01 -------- d-----w- C:\SDFix
2009-06-29 14:21 . 2009-06-29 14:21 -------- d-----w- c:\documents and settings\ccchelp\Local Settings\Application Data\Adobe
2009-06-29 14:20 . 2009-06-29 14:21 -------- d-----w- c:\documents and settings\ccchelp\Local Settings\Application Data\kfor
2009-06-29 14:20 . 2009-06-29 14:20 -------- d-----w- c:\documents and settings\ccchelp\Local Settings\Application Data\Google
2009-06-29 14:20 . 2009-06-29 14:20 -------- d-----w- c:\documents and settings\ccchelp\Application Data\FaxCtr
2009-06-28 03:29 . 2009-06-29 18:50 -------- d-----w- c:\program files\Common Files\Uninstall
2009-06-22 01:50 . 2009-06-22 01:50 -------- d-----w- c:\windows\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-30 16:46 . 2005-09-22 21:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AStartup
2009-06-30 15:30 . 2009-02-10 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\4 Warn Alert
2009-06-29 21:44 . 2005-09-22 21:38 -------- d-----w- c:\program files\VPNremote for Windows XP
2009-06-29 19:03 . 2005-09-22 21:01 -------- d-----w- c:\program files\ThinkPad
2009-06-29 15:01 . 2005-09-22 22:14 -------- d-----w- c:\documents and settings\brhill\Application Data\ALogon
2009-06-20 15:14 . 2007-12-28 02:38 -------- d-----w- c:\program files\lx_cats
2009-06-02 18:12 . 2009-06-02 18:12 879698 ----a-w- c:\windows\java\Packages\BT3XR93T.ZIP
2009-05-26 20:37 . 2009-05-24 14:06 -------- d-----w- c:\documents and settings\brhill\Application Data\Juniper Networks
2009-05-24 14:06 . 2009-05-24 14:06 37021 ----a-w- c:\documents and settings\brhill\Application Data\Juniper Networks\Setup\uninstall.exe
2009-05-17 01:51 . 2007-09-06 17:41 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-05-17 01:51 . 2004-04-28 21:56 -------- d-----w- c:\program files\Network Associates
2009-05-17 01:49 . 2004-04-28 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Network Associates
2009-05-17 01:49 . 2009-05-17 01:49 -------- d-----w- c:\program files\Common Files\McAfee Inc
2009-05-17 01:49 . 2007-09-06 17:39 -------- d-----w- c:\program files\McAfee
2009-05-14 16:36 . 2009-05-14 16:36 -------- d-----w- c:\program files\Juniper Networks
2009-05-14 16:36 . 2009-05-14 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Juniper Networks
2009-05-07 15:44 . 2002-08-29 17:41 344064 ------w- c:\windows\system32\localspl.dll
2009-05-04 01:56 . 2009-05-04 01:56 91184 ----a-w- c:\documents and settings\brhill\Application Data\Juniper Networks\Host Checker\CAntiVirusCOM.dll
2009-05-04 01:56 . 2009-05-04 01:56 792112 ----a-w- c:\documents and settings\brhill\Application Data\Juniper Networks\Host Checker\AVManagerUnified.dll
2009-05-04 01:56 . 2009-05-04 01:56 35888 ----a-w- c:\documents and settings\brhill\Application Data\Juniper Networks\Host Checker\OPSWATProcessesScanner.dll
2009-05-04 01:56 . 2009-05-04 01:56 30768 ----a-w- c:\documents and settings\brhill\Application Data\Juniper Networks\Host Checker\CFireWallCOM.dll
2009-05-04 01:56 . 2009-05-04 01:56 150064 ----a-w- c:\documents and settings\brhill\Application Data\Juniper Networks\Host Checker\FWManager.dll
2009-04-17 09:58 . 2002-08-29 16:14 1846656 ------w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2004-04-28 17:31 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2000-04-13 21:10 . 2004-04-29 15:35 73184 ----a-w- c:\program files\Common Files\Dao2535.tlb
2000-04-13 21:09 . 2004-04-29 15:35 582144 ----a-w- c:\program files\Common Files\Dao350.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

fatbasta · 06-30-2009, 01:54 PM

2nd one, 2nd half...

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"wksetup"="c:\windows\system32\wksetup\wksetup.bat " [2004-10-06 342]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPH KMGR.exe" [2006-10-02 94208]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-10 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-10 512000]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_04\bin\jusched.exe" [2004-02-23 32881]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 1368064]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-01-28 111952]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\udaterui.exe" [2008-11-03 136512]
"McAfee Host Intrusion Prevention Tray"="c:\program files\McAfee\Host Intrusion Prevention\FireTray.exe" [2008-12-01 972096]
"lxcymon.exe"="c:\program files\Lexmark 3400 Series\lxcymon.exe" [2007-06-25 291504]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-25 295600]
"EzPrint"="c:\program files\Lexmark 3400 Series\ezprint.exe" [2007-06-25 82608]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp .Exe" [2007-04-27 243248]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfE x.dll" [2004-07-29 395776]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2004-07-29 20480]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.d ll" [2004-07-29 110592]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-11-17 344064]
"ATA"="c:\program files\Avaya\ATA\ATALauncher.exe" [2006-09-18 53248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"LXCYCATS"="c:\windows\System32\spool\DRIVERS\W32X 86\3\LXCYtime.dll" [2006-11-21 106496]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536]
"BluetoothAuthenticationAgent"="irprops.cpl" - c:\windows\system32\irprops.cpl [2004-08-04 380416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce]
"NSSInstallation"="c:\windows\system32\Adobe\Shock wave 11\nssstub.exe" [2009-06-02 181624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Avaya IP Softphone Reset.lnk - c:\program files\Avaya\Avaya IP Softphone\IP Service Provider\pwreset.exe [2005-9-22 45056]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-10-23 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"dontdisplaylockeduserid"= 3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 04:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 01:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-790525478-1343024091-1801674531-50492\Scripts\Logon\0\0]
"Script"=avayacst.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-790525478-1343024091-1801674531-53006\Scripts\Logon\0\0]
"Script"=avayacst.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\FaxSrCli\\Notify.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=

R0 avipsec;Avaya IPSEC Driver;c:\windows\system32\drivers\avipsec.sys [9/22/2005 4:38 PM 85504]
R1 enstart_;enstart_;c:\windows\system32\enstart_.sys [1/26/2009 6:07 PM 25472]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [9/22/2005 4:20 PM 16384]
R1 VProtocol;AVAYA VPNet VProtocol;c:\windows\system32\drivers\vproto2k.sys [9/22/2005 4:38 PM 14336]
R2 AvService;Avaya VPN Service;c:\program files\VPNremote for Windows XP\AvVpnService.exe [9/22/2005 4:38 PM 53248]
R2 enstart;enstart;c:\windows\system32\enstart.exe [9/22/2005 4:21 PM 741376]
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\McAfee\Host Intrusion Prevention\FireSvc.exe [12/1/2008 3:18 PM 1467712]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcyco ms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [5/16/2009 8:51 PM 67904]
R3 FirehkMP;FirehkMP;c:\windows\system32\drivers\fire hk.sys [5/16/2009 8:50 PM 42056]
R3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [5/16/2009 8:51 PM 108280]
R3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [5/16/2009 8:51 PM 37400]
R3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [5/16/2009 8:51 PM 34432]
R3 hips;McAfee HIPSCore Service;c:\program files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe [5/16/2009 8:51 PM 34408]
R3 ndisva;Avaya VPNet Virtual Adapter Driver;c:\windows\system32\drivers\vadapter.sys [9/22/2005 4:38 PM 12288]
S3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\drivers\firehk.sys [5/16/2009 8:50 PM 42056]
S3 OracleDEFAULT_HOME_817ClientCache;OracleDEFAULT_HO ME_817ClientCache;c:\orawin_817\bin\ONRSD.EXE --> c:\orawin_817\bin\ONRSD.EXE [?]
S3 OracleOraHome81ClientCache;OracleOraHome81ClientCa che;c:\oracle\ora81\bin\ONRSD.EXE [10/19/2000 1:55 PM 411244]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3DF9980-C3EA-44F1-95BC-3C8AAEC6FA91}]
MSIEXEC.EXE /fu {B3DF9980-C3EA-44F1-95BC-3C8AAEC6FA91} /qn

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\INF\wmactedp.inf,PerUserStub,,4
.
Contents of the 'Scheduled Tasks' folder

2005-09-22 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2005-09-22 07:37]

2009-06-30 c:\windows\Tasks\NSSstub.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-03-08 13:02]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Easy Dock - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://associate.avaya.com/
uInternet Connection Wizard,ShellNext = hxxp://associate.avaya.com/
uInternet Settings,ProxyOverride = *.avaya.com;155.184.*;<local>
uInternet Settings,ProxyServer = co.proxy.avaya.com:8000
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\brhill\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: avaya.com\itms
DPF: Concur Expense Applets - hxxps://nxmsp07.eng.avaya.com/expense/Applets/cnqr2k4_ie.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} - hxxp://tmpctd01.usae.avaya.com/qcbin/Spider90.ocx
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game04.zylom.com/activex/zylomgamesplayer.cab
DPF: {C0D2212A-5EF2-44F8-9441-1DB60F128112} - hxxp://salestools.avaya.com/sales/16285/applets/SiebelOptionPack.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-06-30 12:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtim e.dll,_RunDLLEntry@16????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ??????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3B5DF6D 1-E5A7-C88F-E124335B2AC10D6E}\{9E45AC21-0624-AFA6-0D9A316C99DC6801}\{4DB4AD3D-4DE2-41AE-499E94A6C8AFFBE1}*]
"RA4KGUJC6T6LBNJRIDQ63C2L6C1"=hex:01,00,01,00,00,0 0,00,00,f7,8a,3d,85,55,45,07,
82,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'explorer.exe'(688)
c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\browselc.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
c:\program files\McAfee\VirusScan Enterprise\scriptcl.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\windows\system32\lxcycoms.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\ati2evxx.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Network Associates\Common Framework\McTray.exe
c:\program files\Avaya\ATA\ata.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
************************************************** ************************
.
Completion time: 2009-06-30 12:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-30 17:30

Pre-Run: 2,156,595,712 bytes free
Post-Run: 5,099,205,120 bytes free

355 --- E O F --- 2008-09-23 20:08

Osiris · 06-30-2009, 02:46 PM

Well that turned out good.

Make sure you reboot first then follow below

Now I need you to run them one more time, combofix first, then malwarebytes and post both logs again. After that post a new hijackthis log

fatbasta · 06-30-2009, 03:12 PM

I guess it's working good enough, after I posted the logs I rebooted and went out to lunch. It was a friends laptop and I guess while I was gone she came by and grabbed it. She left me a thank you message on my phone and said it worked great. I'll try to snag it back from her tonight to finish, but I doubt I'll hear from her again until it's busted again.
Thanks for your help, next time I'll use your "guide" before I bug you with any log files.
Thank you.

Osiris · 06-30-2009, 03:17 PM

Sounds good to me

Member Login