Welcome, Guest. Please Login or Register.
Search
Members
Login
Register
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   Win32.iroffer.af		 « Previous topic | Next topic »
Pages: 1 2  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Win32.iroffer.af  (Read 3575 times)
pkm613
Newbie
*





   


Posts: 9
Win32.iroffer.af
« on: Jan 15th, 2010, 5:41pm »		 Quote Quote  Modify Modify
Hello,
 
I looked at the database, and don't see this covered. I know I have it as Spybot detects it from time to time, but doesn't seem to be able to remove it.  
 
It's not a FP either, as the symptoms of this trojan reveal it's ugly head in "mail delivery" emails I get back from time to time.
 
Help, please! I really don't want to reformat my hard drive.
 
P
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: Win32.iroffer.af
« Reply #1 on: Jan 15th, 2010, 10:46pm »		 Quote Quote  Modify Modify
Welcome to the forum pkm613  Wink
 
Unfortunately, there are no naming convention standards between security vendors.  Therefore it is difficult to say whether TH has the necessary detection rules to detect this specific infection.  I suspect that it does because this trojan emerged in 2007.  
 
Do you have any infected files that you can send Gavin for analysis?  If so, please submit them via the instructions in the link below.  Gavin will incorporate detection/removal if it is not already there.
 
http://www.misec.net/forum/board/FAQ/1139308293
 
You could also download/install the Trial version of TH.  Be sure to update the detection rules during the installation.  Then run a FULL scan of your system.  
 
Also, download/install Hijackthis per the link below.  Then post back here an HJT scan log for me to examine for infections.
 
http://www.misec.net/forum/board/FAQ/1163329424
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
pkm613
Newbie
*





   


Posts: 9
Re: Win32.iroffer.af
« Reply #2 on: Jan 19th, 2010, 7:07pm »		 Quote Quote  Modify Modify
siliconman01,
 
Thanks for the reply, but I have no idea what file is infected. The only thing that detects it from time to time is Spybot, but it "removes" the file. I have TH 5.2, but it doesn't detect it.
 
The thing that sux is, I just reformatted my hard drive, and it still is there. Granted, I backed up some important files, and I reformatted on the same partition. I scanned those files for viruses, spyware, etc., but nothing came up.
 
I just don't know what to do. Norton's, Avast, and BitDefender don't seem to detect it. I brought my PC to a local vendor, and they suggested that I reformat the hard drive, but it apparently hasn't done any good.
 
I'm bummed, and pissed.
 
Thanks...
IP Logged
pkm613
Newbie
*





   


Posts: 9
Re: Win32.iroffer.af
« Reply #3 on: Jan 19th, 2010, 7:10pm »		 Quote Quote  Modify Modify
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 7:09:45 PM, on 1/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\TrojanHunter 5.2\THGuard.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WIN2000\guru.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\SDFiles.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mredllc.connectmls.com/slogin.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2010\IEToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2010\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.2\THGuard.exe"
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [WinTOTAL Scheduler] C:\WIN2000\guru.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.htm l
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.ht ml
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5 .0.cab
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - https://support.dell.com/systemprofiler/SysProExe.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wu web_site.cab?1263776085140
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -  
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CarboniteService - Carbonite, Inc.(www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
 
--
End of file - 11145 bytes
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: Win32.iroffer.af
« Reply #4 on: Jan 19th, 2010, 11:43pm »		 Quote Quote  Modify Modify
Your HJT scan log is not showing any infection either.  There is one item that you can fix with HJT, however.
 
1.  Perform another HJT scan.  When the scan is completed, select the entry below by placing a checkmark in the box next to the item.  BE SURE that this is the only item checked.
 
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
 
2.  Close down your browser
 
3.  On the lower left of the HJT window, click on Fix Checked.  Confirm that you want HJT to fix the item and let it fix it.
 
4.  Close Hijackthis.
 
Does the log of Spybot or its quarantine folder show the name of the file that was quarantined and where that file was located?
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
pkm613
Newbie
*





   


Posts: 9
Re: Win32.iroffer.af
« Reply #5 on: Jan 20th, 2010, 6:18pm »		 Quote Quote  Modify Modify
Thanks, I did what you suggested, but Outlook still receives the Mail Delivery System emails.
 
SpyBot does consistently find it at the same location. When it finds it again, I will post it.
 
Sorry for being a pain; here is the latest Hijack this scan.
 
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 6:07:55 PM, on 1/20/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\TrojanHunter 5.2\THGuard.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WIN2000\guru.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\WINDOWS\msagent\AgentSvr.exe
c:\win2000\winform.exe
C:\WIN2000\AppDesk.exe
C:\WINDOWS\system32\calc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mredllc.connectmls.com/slogin.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2010\IEToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2010\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.2\THGuard.exe"
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [WinTOTAL Scheduler] C:\WIN2000\guru.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.htm l
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.ht ml
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5 .0.cab
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - https://support.dell.com/systemprofiler/SysProExe.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wu web_site.cab?1263776085140
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -  
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CarboniteService - Carbonite, Inc.(www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: Win32.iroffer.af
« Reply #6 on: Jan 20th, 2010, 10:35pm »		 Quote Quote  Modify Modify
Your latest HJT log looks fine.   Wink
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
pkm613
Newbie
*





   


Posts: 9
Re: Win32.iroffer.af
« Reply #7 on: Jan 27th, 2010, 2:26am »		 Quote Quote  Modify Modify
OK. Spybot found its location at:  
 
C:\\WINDOWS\Client
 
with the following additional data: [SB $E19E27B1] Data
 
And per Spybot, here is the description:
 
Win32.Iroffer.af records all keystrokes without user consent and thus makes it possible to spy on the user. It is able to block security software (especially anti-spy or anti-virus programs) and it runs completely hidden.
 
I really hope you can find something...
 
Here's HJT:
 
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 2:25:49 AM, on 1/27/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\TrojanHunter 5.2\THGuard.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WIN2000\guru.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\calc.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\freecell.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mredllc.connectmls.com/slogin.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2010\IEToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2010\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.2\THGuard.exe"
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [WinTOTAL Scheduler] C:\WIN2000\guru.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.htm l
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.ht ml
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5 .0.cab
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - https://support.dell.com/systemprofiler/SysProExe.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wu web_site.cab?1263776085140
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -  
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CarboniteService - Carbonite, Inc.(www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
 
--
End of file - 11402 bytes
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: Win32.iroffer.af
« Reply #8 on: Jan 27th, 2010, 3:57am »		 Quote Quote  Modify Modify
This has symptoms of being a rootkit of some type.  Please try this special tool named Combofix to see if it detects/removes anything.  It uses a rootkit detector during its analysis.  The link below describes how to run Combofix and has the download link for Combofix.  Follow the instructions carefully.
 
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
 
1.  Before you run Combofix, please close down as many programs as you can.  Temporarily disable your security programs (except your software firewall).  
 
2.  Post back here the Combofix log that is generated at the end of the Combofix cleaning process.  
 
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
pkm613
Newbie
*





   


Posts: 9
Re: Win32.iroffer.af
« Reply #9 on: Jan 27th, 2010, 3:32pm »		 Quote Quote  Modify Modify
Thanks siliconman01!
 
Here's page 1 of 2 from Combofix.
 
ComboFix 10-01-27.03 - Paul K. Moy 01/27/2010  15:19:49.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3326.2504 [GMT -6:00]
Running from: c:\documents and settings\Paul K. Moy\Desktop\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
 
(((((((((((((((((((((((((   Files Created from 2009-12-27 to 2010-01-27  )))))))))))))))))))))))))))))))
.
 
2010-01-25 23:23 . 2010-01-25 23:23--------d-----w-c:\documents and settings\Paul K. Moy\Application Data\Canon
2010-01-25 23:18 . 2010-01-25 23:18--------d-----w-c:\program files\Canon
2010-01-25 23:02 . 2008-04-13 18:4515104-c--a-w-c:\windows\system32\dllcache\usbscan.sys
2010-01-25 23:02 . 2008-04-13 18:4515104----a-w-c:\windows\system32\drivers\usbscan.sys
2010-01-25 19:37 . 2010-01-25 19:37--------d-----w-c:\program files\MSECache
2010-01-24 05:31 . 2010-01-27 01:39664----a-w-c:\windows\system32\d3d9caps.dat
2010-01-21 04:53 . 2002-12-28 16:2620569----a-w-c:\windows\system32\pxc25pm.dll
2010-01-21 04:53 . 2010-01-21 04:53--------d-----w-c:\program files\Tracker Software
2010-01-20 01:09 . 2010-01-20 01:09388096----a-r-c:\documents and settings\Paul K. Moy\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackTh is.exe
2010-01-20 01:09 . 2010-01-20 01:09--------d-----w-c:\program files\TrendMicro
2010-01-20 00:24 . 2010-01-20 00:24--------d-----w-c:\program files\Rand McNally
2010-01-20 00:24 . 1997-02-25 00:4470656------r-c:\windows\system32\VSPELL32.DLL
2010-01-20 00:24 . 2010-01-20 00:25--------d-----w-c:\program files\Common Files\Rand McNally
2010-01-19 21:12 . 2010-01-19 21:12--------d-----w-c:\documents and settings\Paul K. Moy\Application Data\Apple Computer
2010-01-19 21:09 . 2010-01-19 21:10--------d-----w-c:\program files\QuickTime
2010-01-19 21:09 . 2010-01-19 21:09--------d-----w-c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-19 21:09 . 2010-01-19 21:09--------d-----w-c:\program files\Common Files\Apple
2010-01-19 21:09 . 2010-01-19 21:09--------d-----w-c:\documents and settings\Paul K. Moy\Local Settings\Application Data\Apple
2010-01-19 21:09 . 2010-01-19 21:09--------d-----w-c:\program files\Apple Software Update
2010-01-19 21:09 . 2010-01-19 21:09--------d-----w-c:\documents and settings\All Users\Application Data\Apple
2010-01-19 21:08 . 2010-01-19 21:08--------d-----w-c:\documents and settings\Paul K. Moy\Local Settings\Application Data\Apple Computer
2010-01-18 10:59 . 2010-01-27 20:06--------d-----w-c:\windows\system32\NtmsData
2010-01-18 10:20 . 2010-01-18 10:20--------d-sh--w-c:\documents and settings\NetworkService\IETldCache
2010-01-18 10:05 . 2010-01-27 08:29180160----a-w-c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-18 10:02 . 2010-01-27 21:13--------d-----w-c:\windows\Internet Logs
2010-01-18 09:35 . 2008-04-14 00:1226624----a-w-c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-01-18 08:52 . 2010-01-19 22:14--------d-----w-c:\windows\Outlook
2010-01-18 08:50 . 2010-01-18 08:50--------d-sh--w-c:\documents and settings\LocalService\IETldCache
2010-01-18 08:47 . 2010-01-18 08:47--------d-----w-c:\documents and settings\PAULK~1~MOY\LOCALS~1
2010-01-18 08:47 . 2010-01-18 08:47--------d-----w-c:\documents and settings\PAULK~1~MOY
2010-01-18 08:47 . 2009-08-21 23:21103720----a-w-c:\documents and settings\Paul K. Moy\GoToAssistDownloadHelper.exe
2010-01-18 08:47 . 2009-04-27 17:0760744----a-w-c:\documents and settings\Paul K. Moy\g2mdlhlpx.exe
2010-01-18 08:34 . 2010-01-27 17:14--------d-----w-C:\MDT
2010-01-18 08:31 . 2010-01-18 08:31--------d-----w-c:\documents and settings\Paul K. Moy\Application Data\CyberLink
2010-01-18 08:31 . 2010-01-18 08:31--------d-----w-c:\documents and settings\All Users\Application Data\CyberLink
2010-01-18 08:27 . 2010-01-18 08:31--------d-----w-c:\program files\SpyZooka
2010-01-18 07:42 . 2006-10-27 06:0098304----a-w-c:\windows\system32\dlxcrzil.dll
2010-01-18 07:22 . 2010-01-18 07:22--------d-----w-c:\documents and settings\Paul K. Moy\Local Settings\Application Data\Linksys_LLC_-_A_Division_
2010-01-18 07:22 . 2010-01-18 07:22--------d-----w-c:\documents and settings\All Users\Application Data\Linksys
2010-01-18 07:21 . 2010-01-18 07:21--------dc-h--w-c:\documents and settings\All Users\Application Data\{35ACA973-70F0-495F-9092-74A130711865}
2010-01-18 07:21 . 2009-05-21 21:292833072-c--a-w-c:\documents and settings\All Users\Application Data\{35ACA973-70F0-495F-9092-74A130711865}\setup.exe
2010-01-18 07:20 . 2008-12-13 00:0523984----a-w-c:\windows\system32\drivers\pnarp.sys
2010-01-18 07:20 . 2008-12-13 00:0525264----a-w-c:\windows\system32\drivers\purendis.sys
2010-01-18 07:20 . 2010-01-18 07:20--------d-----w-c:\program files\Common Files\Pure Networks Shared
2010-01-18 07:20 . 2010-01-18 07:20--------d-----w-c:\documents and settings\All Users\Application Data\Pure Networks
2010-01-18 07:09 . 2008-06-29 21:00131189----a-w-c:\windows\system32\dlxzizil.dll
2010-01-18 06:56 . 2010-01-18 06:56--------d-----w-c:\documents and settings\Paul K. Moy\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-01-18 06:54 . 2010-01-21 20:33--------d-----w-c:\documents and settings\Paul K. Moy\Local Settings\Application Data\PowerDVD DX
2010-01-18 06:54 . 2010-01-18 06:54--------d-----w-c:\documents and settings\All Users\Application Data\Dell
2010-01-18 06:53 . 2010-01-18 08:34--------d-----w-c:\program files\CyberLink
2010-01-18 06:47 . 2010-01-18 09:20--------d-----w-c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-01-18 06:43 . 2010-01-18 06:43--------d-----w-c:\documents and settings\Paul K. Moy\Application Data\Office Genuine Advantage
2010-01-18 06:33 . 2010-01-18 06:330----a-w-c:\windows\nsreg.dat
2010-01-18 06:33 . 2010-01-18 06:33--------d-----w-c:\documents and settings\Paul K. Moy\Local Settings\Application Data\Mozilla
2010-01-18 06:24 . 2010-01-18 06:24--------d-----w-c:\program files\WebEx
2010-01-18 06:09 . 2010-01-18 06:14--------d-----w-c:\documents and settings\All Users\Application Data\FLEXnet
2010-01-18 06:06 . 2009-11-20 11:0838784----a-w-c:\documents and settings\Paul K. Moy\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-18 06:06 . 2010-01-18 06:06--------d-----w-c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-01-18 05:47 . 2010-01-18 05:47--------d-----w-c:\program files\MSXML 4.0
2010-01-18 05:44 . 2010-01-18 05:50--------d-----w-c:\documents and settings\Paul K. Moy\Application Data\Download Manager
2010-01-18 05:37 . 2010-01-18 05:37--------d-----w-c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-01-18 05:30 . 2010-01-20 23:00--------d-----w-c:\program files\a la mode
2010-01-18 05:30 . 2010-01-18 05:30--------d-----w-c:\windows\Profiles
2010-01-18 05:30 . 2010-01-18 06:05--------d-----w-c:\program files\Common Files\Adobe
2010-01-18 05:30 . 2010-01-18 05:30--------d-----w-c:\windows\system32\Adobe
2010-01-18 05:30 . 2010-01-18 05:30--------d-----w-c:\documents and settings\Paul K. Moy\Application Data\InterTrust
2010-01-18 05:30 . 1998-10-29 20:45306688----a-w-c:\windows\IsUninst.exe
2010-01-18 05:30 . 2010-01-18 05:30--------d-----w-c:\windows\lhsp
2010-01-18 05:29 . 2010-01-18 05:29--------d-----w-c:\windows\system32\Cameras
2010-01-18 05:24 . 2010-01-18 05:24--------d-----w-c:\program files\Carbonite
2010-01-18 05:24 . 2010-01-18 05:24--------d-----w-c:\documents and settings\All Users\Application Data\Carbonite
2010-01-18 05:22 . 2010-01-18 05:22--------d-----w-c:\documents and settings\Paul K. Moy\Application Data\TrojanHunter
2010-01-18 05:20 . 2010-01-18 08:40--------d-----w-c:\program files\TrojanHunter 5.2
2010-01-18 05:17 . 2010-01-27 17:47--------d-----w-C:\WIN2000
2010-01-18 05:17 . 2010-01-18 05:17--------d-----w-c:\documents and settings\Paul K. Moy\Application Data\WinPatrol
2010-01-18 05:17 . 2010-01-17 23:550----a-w-c:\documents and settings\Paul K. Moy\Application Data\WinPatrol\Config.sys
2010-01-18 05:17 . 2010-01-17 23:550----a-w-c:\documents and settings\Paul K. Moy\Application Data\WinPatrol\Autoexec.bat
2010-01-18 05:16 . 2010-01-18 05:16--------d-----w-c:\program files\BillP Studios
2010-01-18 04:50 . 2010-01-18 05:26--------d-----w-c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-18 04:50 . 2010-01-18 04:54--------d-----w-c:\program files\Spybot - Search & Destroy
2010-01-18 04:48 . 2010-01-18 06:01--------d-----w-c:\program files\Microsoft Works
2010-01-18 04:48 . 2010-01-18 04:48--------d-----w-c:\program files\Microsoft.NET
2010-01-18 04:47 . 2010-01-18 04:47--------d-----w-c:\documents and settings\Paul K. Moy\Local Settings\Application Data\Microsoft Help
2010-01-18 04:47 . 2010-01-18 06:02--------d-----w-c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-18 04:44 . 2010-01-20 00:27--------d-----w-c:\program files\Microsoft Silverlight
2010-01-18 04:43 . 2010-01-18 04:43--------d-----r-C:\MSOCache
2010-01-18 04:37 . 2010-01-18 04:37--------d-----w-c:\documents and settings\Paul K. Moy\Tracing
2010-01-18 04:26 . 2010-01-18 04:44--------d-----w-c:\program files\Microsoft
2010-01-18 04:25 . 2010-01-18 04:25--------d-----w-c:\program files\Windows Live SkyDrive
2010-01-18 04:25 . 2010-01-18 04:26--------d-----w-c:\program files\Windows Live
2010-01-18 04:23 . 2010-01-18 04:23--------d-----w-c:\program files\Common Files\Windows Live
2010-01-18 04:17 . 2010-01-18 04:170----a-w-c:\windows\ativpsrm.bin
2010-01-18 03:39 . 2010-01-18 03:39--------d-----w-c:\documents and settings\Paul K. Moy\Local Settings\Application Data\Identities
2010-01-18 03:39 . 2010-01-18 03:39--------d-----w-c:\documents and settings\Paul K. Moy\Application Data\Windows Desktop Search
2010-01-18 03:38 . 2010-01-18 04:21--------d-----w-c:\program files\Windows Desktop Search
2010-01-18 03:38 . 2010-01-18 03:38--------d-----w-c:\windows\system32\GroupPolicy
2010-01-18 03:38 . 2010-01-18 03:384----a-w-c:\windows\system32\aspdict-en.dat
2010-01-18 03:38 . 2010-01-18 03:3816----a-w-c:\windows\system32\asdict.dat
2010-01-18 03:38 . 2008-03-07 17:0298304-c----w-c:\windows\system32\dllcache\nlhtml.dll
2010-01-18 03:38 . 2008-03-07 17:0229696-c----w-c:\windows\system32\dllcache\mimefilt.dll
2010-01-18 03:38 . 2008-03-07 17:02192000-c----w-c:\windows\system32\dllcache\offfilt.dll
2010-01-18 03:13 . 2010-01-18 04:20132----a-w-c:\windows\system32\rezumatenoi.dat
2010-01-18 03:10 . 2010-01-18 03:100----a-w-C:\pcwords2.dat
2010-01-18 03:10 . 2010-01-18 03:100----a-w-C:\pcwords.dat
2010-01-18 02:57 . 2010-01-18 02:58--------d-----w-c:\documents and settings\All Users\Application Data\BitDefender
2010-01-18 02:57 . 2010-01-18 02:57--------d-----w-c:\documents and settings\Paul K. Moy\Application Data\BitDefender
2010-01-18 02:57 . 2010-01-18 02:57--------d-----w-c:\program files\BitDefender
2010-01-18 02:57 . 2010-01-18 02:57--------d-----w-c:\program files\Common Files\BitDefender
2010-01-18 02:16 . 2010-01-18 02:31--------d-----w-c:\documents and settings\Paul K. Moy\Local Settings\Application Data\ApplicationHistory
2010-01-18 02:13 . 2010-01-18 08:19--------d-----w-c:\documents and settings\Paul K. Moy\Local Settings\Application Data\Deployment
2010-01-18 02:13 . 2010-01-18 02:13--------d-----w-c:\documents and settings\Paul K. Moy\Local Settings\Application Data\ATI
2010-01-18 02:13 . 2010-01-18 02:13--------d-----w-c:\documents and settings\Paul K. Moy\Application Data\ATI
2010-01-18 02:13 . 2010-01-18 02:13--------d-----w-c:\documents and settings\All Users\Application Data\ATI
2010-01-18 01:58 . 2010-01-18 01:58--------d-----w-c:\program files\Windows Media Connect 2
2010-01-18 01:57 . 2010-01-20 00:23--------d-----w-c:\windows\system32\LogFiles
2010-01-18 01:57 . 2010-01-18 01:58--------d-----w-c:\windows\system32\drivers\UMDF
2010-01-18 01:57 . 2010-01-18 01:57--------d-----w-c:\windows\system32\URTTemp
2010-01-18 01:50 . 2010-01-18 01:50--------d-sh--w-c:\documents and settings\Paul K. Moy\IECompatCache
2010-01-18 01:50 . 2010-01-18 01:50--------d-sh--w-c:\documents and settings\Paul K. Moy\PrivacIE
2010-01-18 01:49 . 2010-01-18 01:49--------d-sh--w-c:\documents and settings\Paul K. Moy\IETldCache
2010-01-18 01:45 . 2010-01-18 01:45--------dc-h--w-c:\windows\ie8
2010-01-18 01:40 . 2008-06-13 11:05272128-c----w-c:\windows\system32\dllcache\bthport.sys
2010-01-18 01:40 . 2009-11-21 15:51471552-c----w-c:\windows\system32\dllcache\aclayers.dll
2010-01-18 01:38 . 2009-10-15 16:2881920-c----w-c:\windows\system32\dllcache\fontsub.dll
2010-01-18 01:38 . 2009-10-15 16:28119808-c----w-c:\windows\system32\dllcache\t2embed.dll
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-27 17:13 . 2010-01-20 00:2715276247----a-w-c:\windows\Internet Logs\tvDebug.Zip
2010-01-25 23:18 . 2010-01-18 00:55--------d--h--w-c:\program files\InstallShield Installation Information
2010-01-18 10:03 . 2010-01-18 10:03--------d-----w-c:\documents and settings\Paul K. Moy\Application Data\CheckPoint
2010-01-18 10:03 . 2010-01-18 10:03--------d-----w-c:\program files\CheckPoint
2010-01-18 10:03 . 2010-01-18 10:034212---ha-w-c:\windows\system32\zllictbl.dat
2010-01-18 10:03 . 2010-01-18 10:03--------d-----w-c:\program files\Zone Labs
2010-01-18 07:26 . 2010-01-18 01:055----a-w-c:\windows\system32\drivers\DELL_XPS_Vostro 200.MRK
2010-01-18 07:26 . 2010-01-18 01:055----a-w-c:\windows\system32\drivers\1028_DELL_XPS_Vostro 200.MRK
2010-01-18 06:24 . 2010-01-18 06:248892928----a-w-c:\documents and settings\All Users\Application Data\atscie.msi
2010-01-18 06:08 . 2010-01-18 06:04--------d-----w-c:\documents and settings\All Users\Application Data\NOS
2010-01-18 06:05 . 2010-01-18 06:05--------d-----w-c:\program files\Common Files\Adobe AIR
2010-01-18 06:05 . 2010-01-18 06:0486016----a-w-c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-18 05:53 . 2010-01-18 05:53--------d-----w-c:\program files\Common Files\Macrovision Shared
2010-01-18 05:30 . 2010-01-18 05:301409----a-w-c:\windows\Fonts\ALAMODE.fot
2010-01-18 05:30 . 2010-01-18 05:301409----a-w-c:\windows\Fonts\AFORM120.fot
2010-01-18 05:30 . 2010-01-18 05:301409----a-w-c:\windows\Fonts\AFORM112.fot
2010-01-18 05:30 . 2010-01-18 05:301409----a-w-c:\windows\Fonts\AFORM105.fot
2010-01-18 05:30 . 2010-01-18 05:301409----a-w-c:\windows\Fonts\AFORM100.fot
2010-01-18 05:30 . 2010-01-18 05:301409----a-w-c:\windows\Fonts\AFORM09B.fot
2010-01-18 05:30 . 2010-01-18 05:301409----a-w-c:\windows\Fonts\AFORM090.fot
2010-01-18 05:30 . 2010-01-18 05:301409----a-w-c:\windows\Fonts\AFORM080.fot
2010-01-18 05:30 . 2010-01-18 05:301409----a-w-c:\windows\Fonts\ADATA095.fot
2010-01-18 02:00 . 2010-01-18 02:00--------d-----w-c:\program files\MSBuild
2010-01-18 02:00 . 2010-01-18 02:00--------d-----w-c:\program files\Reference Assemblies
2010-01-18 01:39 . 2010-01-18 01:37--------d-----w-c:\program files\ATI
2010-01-18 01:38 . 2010-01-18 01:37--------d-----w-c:\program files\ATI Technologies
2010-01-18 01:37 . 2010-01-18 01:3710134----a-r-c:\documents and settings\Paul K. Moy\Application Data\Microsoft\Installer\{A778A787-08A4-4089-CB68-02A9737DE532}\ARPPRODU CTICON.exe
2010-01-18 01:23 . 2010-01-17 23:5487263----a-w-c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-18 01:03 . 2010-01-18 00:55--------d-----w-c:\program files\Common Files\InstallShield
2010-01-18 00:55 . 2010-01-18 00:55--------d-----w-c:\program files\Realtek
2010-01-18 00:55 . 2010-01-18 00:55315392----a-w-c:\windows\HideWin.exe
2010-01-17 23:55 . 2010-01-17 23:55--------d-----w-c:\program files\microsoft frontpage
2010-01-17 23:53 . 2010-01-17 23:5321640----a-w-c:\windows\system32\emptyregdb.dat
2009-12-21 19:14 . 2006-03-04 03:33916480----a-w-c:\windows\system32\wininet.dll
2009-12-08 00:49 . 2009-12-08 00:49105736----a-w-c:\windows\system32\drivers\bdhv.sys
2009-12-08 00:46 . 2009-12-08 00:46152456----a-w-c:\windows\system32\drivers\bdfm.sys
2009-11-25 03:50 . 2010-01-18 01:174463104----a-w-c:\windows\system32\drivers\ati2mtag.sys
2009-11-25 03:27 . 2010-01-18 01:37446464----a-w-c:\windows\system32\ATIDEMGX.dll
2009-11-25 03:26 . 2008-04-14 00:11300032----a-w-c:\windows\system32\ati2dvag.dll
2009-11-25 03:11 . 2010-01-18 01:37208896----a-w-c:\windows\system32\atipdlxx.dll
2009-11-25 03:11 . 2010-01-18 01:37155648----a-w-c:\windows\system32\Oemdspif.dll
2009-11-25 03:10 . 2010-01-18 01:3726112----a-w-c:\windows\system32\Ati2mdxx.exe
2009-11-25 03:10 . 2010-01-18 01:3743520----a-w-c:\windows\system32\ati2edxx.dll
2009-11-25 03:10 . 2010-01-18 01:37155648----a-w-c:\windows\system32\ati2evxx.dll
2009-11-25 03:09 . 2010-01-18 01:37602112----a-w-c:\windows\system32\ati2evxx.exe
2009-11-25 03:07 . 2010-01-18 01:3753248----a-w-c:\windows\system32\ATIDDC.DLL
2009-11-25 02:59 . 2010-01-18 01:37311296----a-w-c:\windows\system32\atiiiexx.dll
2009-11-25 02:59 . 2008-04-14 00:113538496----a-w-c:\windows\system32\ati3duag.dll
2009-11-25 02:44 . 2010-01-18 01:3713533184----a-w-c:\windows\system32\atioglxx.dll
2009-11-25 02:43 . 2008-04-14 00:112142848----a-w-c:\windows\system32\ativvaxx.dll
2009-11-25 02:42 . 2010-01-18 01:37887724----a-w-c:\windows\system32\ativva6x.dat
2009-11-25 02:42 . 2010-01-18 01:373----a-w-c:\windows\system32\ativva5x.dat
2009-11-25 02:26 . 2010-01-18 01:3765024----a-w-c:\windows\system32\atimpc32.dll
2009-11-25 02:26 . 2010-01-18 01:3765024----a-w-c:\windows\system32\amdpcom32.dll
2009-11-25 02:21 . 2010-01-18 01:37565248----a-w-c:\windows\system32\atikvmag.dll
2009-11-25 02:20 . 2010-01-18 01:3745056----a-w-c:\windows\system32\aticalrt.dll
2009-11-25 02:20 . 2010-01-18 01:3745056----a-w-c:\windows\system32\aticalcl.dll
2009-11-25 02:19 . 2010-01-18 01:37176128----a-w-c:\windows\system32\atiadlxx.dll
2009-11-25 02:18 . 2010-01-18 01:3717408----a-w-c:\windows\system32\atitvo32.dll
2009-11-25 02:18 . 2010-01-18 01:373612672----a-w-c:\windows\system32\aticaldd.dll
2009-11-25 02:18 . 2010-01-18 01:3753248----a-w-c:\windows\system32\drivers\ati2erec.dll
2009-11-25 02:17 . 2010-01-18 01:37397312----a-w-c:\windows\system32\atiok3x2.dll
2009-11-25 02:12 . 2008-04-14 00:11638976----a-w-c:\windows\system32\ati2cqag.dll
2009-11-22 21:42 . 2010-01-18 10:031238408----a-w-c:\windows\system32\zpeng25.dll
2009-11-22 21:42 . 2010-01-18 10:0369000----a-w-c:\windows\system32\zlcomm.dll
2009-11-22 21:42 . 2010-01-18 10:03103816----a-w-c:\windows\system32\zlcommdb.dll
2009-11-21 15:51 . 2004-08-04 10:00471552----a-w-c:\windows\AppPatch\aclayers.dll
2009-11-20 11:08 . 2010-01-18 06:0538784----a-w-c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-20 00:59 . 2010-01-18 10:0747104----a-w-c:\program files\mozilla firefox\components\FFComm.dll
.
IP Logged
pkm613
Newbie
*





   


Posts: 9
Re: Win32.iroffer.af
« Reply #10 on: Jan 27th, 2010, 3:32pm »		 Quote Quote  Modify Modify
page 2 of 2
 
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown  
REGEDIT4
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-12-03 22:52574096----a-r-c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-12-03 22:52574096----a-r-c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-12-03 22:52574096----a-r-c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinTOTAL Scheduler"="c:\win2000\guru.exe" [2005-04-11 622592]
"pdfSaver3"="c:\program files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe" [2004-07-18 368640]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-26 16132608]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-18 149280]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-25 98304]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2010\IEShow.exe" [2009-10-19 71152]
"BDAgent"="c:\program files\BitDefender\BitDefender 2010\bdagent.exe" [2009-12-04 1118144]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
"THGuard"="c:\program files\TrojanHunter 5.2\THGuard.exe" [2009-11-26 1069728]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-12-03 670864]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-12-22 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-12-22 640440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-06-09 128560]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2009-10-14 730480]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
 
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
 
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDPCheesyHCP Discovery Service
 
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [10/14/2009 7:30 AM 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [10/14/2009 7:30 AM 476528]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [12/7/2009 6:46 PM 152456]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 1:43 PM 204800]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe [10/19/2009 4:06 PM 183880]
 
--- Other Services/Drivers In Memory ---
 
*NewlyCreated* - 5B6F12AF
*NewlyCreated* - E9AD89FA
*Deregistered* - 5b6f12af
*Deregistered* - e9ad89fa
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdxREG_MULTI_SZ   scan
.
Contents of the 'Scheduled Tasks' folder
 
2010-01-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
 
2010-01-27 c:\windows\Tasks\User_Feed_Synchronization-{4A2F4393-C023-468C-908B-1431 64526CE0}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mredllc.connectmls.com/slogin.jsp
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.htm l
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.ht ml
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Paul K. Moy\Application Data\Mozilla\Firefox\Profiles\k2kbwbze.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/|http://www.drudgereport.com/|http://ww w.billoreilly.com/|http://www.ibdeditorials.com/|http://www.realclearpolitics.com/|http://www.nationalreview.com/|http://www.redstate.com/|http://powerlineblog.com/|http://townhall.com/|http://www.debka.com/index1.php|http://www.washingtonexaminer.com/    
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozill aPlugin.dll
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
 
HKLM-Run-pdfSaver3 - (no file)
 
 
 
************************************************************************ **
 
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-27 15:27
Windows 5.1.2600 Service Pack 3 NTFS
 
scanning hidden processes ...  
 
scanning hidden autostart entries ...  
 
scanning hidden files ...  
 
scan completed successfully
hidden files: 0
 
************************************************************************ **
.
--------------------- DLLs Loaded Under Running Processes ---------------------
 
- - - - - - - > 'winlogon.exe'(800)
c:\windows\system32\Ati2evxx.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
 
- - - - - - - > 'lsass.exe'(856)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
 
- - - - - - - > 'explorer.exe'(5372)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053 _x-ww_e6967989\MSVCR80.dll
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-01-27  15:29:12
ComboFix-quarantined-files.txt  2010-01-27 21:29
 
Pre-Run: 470,645,682,176 bytes free
Post-Run: 470,916,788,224 bytes free
 
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
 
- - End Of File - - 4884BD1546B2029BC799CB98C87E30DE
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: Win32.iroffer.af
« Reply #11 on: Jan 28th, 2010, 12:10am »		 Quote Quote  Modify Modify
Hmmm,  Combofix found nothing malicious on your system....rootkit or otherwise
 
Quote:
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net  
Rootkit scan 2010-01-27 15:27  
Windows 5.1.2600 Service Pack 3 NTFS  
 
scanning hidden processes ...    
 
scanning hidden autostart entries ...  
 
scanning hidden files ...    
 
scan completed successfully  
hidden files: 0  
 

 
You should now remove Combofix from your system.
 
1.  Go to START>RUN and type in   combofix /u
(Note the space before /u)
 
2.  Click on OK and let Combofix uninstall itself.
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: Win32.iroffer.af
« Reply #12 on: Jan 28th, 2010, 12:44am »		 Quote Quote  Modify Modify
In addition to my post above...
 
Quote:
I looked at the database, and don't see this covered. I know I have it as Spybot detects it from time to time, but doesn't seem to be able to remove it.  
 
It's not a FP either, as the symptoms of this trojan reveal it's ugly head in "mail delivery" emails I get back from time to time.  
 

 
If I understand this correctly, this "infection" is coming in on an email.  And you find it when you scan with Spybot.  (I see that TeaTimer is not running so SB's realtime protection is not available).
 
What confuses me a bit is that you state that SB does not remove it.  
 
1.  Does SB find it every time you scan with SB?
 
2.  Do you have BitDefender set up to scan incoming emails?
 
3.  Is it always coming in from the same email address?  If so, can you block that specific email address via your email client?
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
pkm613
Newbie
*





   


Posts: 9
Re: Win32.iroffer.af
« Reply #13 on: Jan 28th, 2010, 2:37pm »		 Quote Quote  Modify Modify
siliconman01,
 
First, thank you for all you help.
 
I'm sorry I wasn't a little more clear. The only indication that I have this trojan or whatever it is, is from the e-mails I get that seem to suggest that Outlook has been sending blast e-mails to various addresses. That, and the occasional scan from SB that indicates that it has detected "Win32.Iroffer.af" and apparently removes it.
 
SB doesn't seem to detect it all the time, which drives me crazy. It drives me crazy because of the e-mails Outlook gets again, suggesting it's been blasting them out -- you know how you get a message from your ISP saying that the e-mail address doesn't work? That's what I get back which again indicates that the iroffer is still somewhere in my computer.
 
Yes, I have BitDefender (and prior competing brands) set up to scan e-mails.
 
Again, the e-mails I receive, are from the ISP indicating that the e-mail addresses that Iroffer has blasting to, no longer are valid.
 
I'm going to do another run of Combofix tonight, and let the system close on its own. The one time I ran it, the computer wasn't closing, so I manually closed it...
 
Thanks again for all your help. I'm still frustrated that there doesn't seem to be a solution to this problem....  Cry
IP Logged
pkm613
Newbie
*





   


Posts: 9
Re: Win32.iroffer.af
« Reply #14 on: Jan 28th, 2010, 2:53pm »		 Quote Quote  Modify Modify
BTW,
 
Here's the body of a typical e-mail that I get back from the ISP:
 
 This is an automatically generated Delivery Status Notification.  
 
Delivery to the following recipients is still underway after 13.7 hour(s):
 
  * fgz09@vip.viafriend.com
 
Will keep trying and contact you if the message can't be delivered permanently.
 
And here's the attached "detail.txt" (410 B) message:
 
Reporting-MTA: dns; qmta11.emeryville.ca.mail.comcast.net [76.96.27.211]
Received-From-MTA: dns; omta23.emeryville.ca.mail.comcast.net [76.96.30.90]
Arrival-Date: Thu, 28 Jan 2010 07:08:56 +0000
 
 
Final-recipient: rfc822; fgz09@vip.viafriend.com
Action: delayed
Status: 4.1.1
Last-attempt-Date: Thu, 28 Jan 2010 20:49:04 +0000
 
IP Logged
Pages: 1 2  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »