Annoying Spyware Application spawning popups, etc

luminousnerd · Apr 13, 2006

Hello all,
I have a very annoying virus/spyware/malware, etc that I must get rid of. Symptoms include an anoying box coming out of my taskbar (attached is a screenshot of this) every few minutes, and pornographic and innappropriate popups which come up in Internet Explorer, which I never use. If I click the box coming from the taskbar, it brings me to one of a few websites. This is just one of the sites it's sent me to: wxx.adwarebazooka.com/?aff=103

Also, as a side note, I recently had Spyware Quake plaguing my 'puter. I finally ridded myself of it with guides found on Google, and when I rebooted it was gone. However, this came back in its place. Upon further investigation, I notice that nvctrl.exe, a process which is said to belong to Spyware Quake, still runs, even though I got rid of all the files and entries, etc, said to belong to Spyware Quake, and the actual Spyware Quake program stopped reviving itself. Perhaps this still has something to do with my new plague.

Help would be much appreciated.

Hijack this Logfile:

Logfile of HijackThis v1.99.1
Scan saved at 12:53:16 AM, on 4/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\AOL\1135243458\ee\AOLSoftware.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
C:\Program Files\Fusion Render Slave\RenderSlave.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\program files\common files\aol\1135243458\ee\aim6.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Fusion Render Slave\eyeonScript.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\mssearchnet.exe
C:\Program Files\Azureus\Azureus.exe
C:\WINDOWS\System32\nvctrl.exe
C:\Program Files\Macromedia\Flash 8\Flash.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\LuminousNerd\My Documents\hijackthis\HijackThis.exe

O2 - BHO: Nothing - {7a932ed2-1737-4ab8-b84d-c71779958551} - C:\WINDOWS\System32\hpB8E8.tmp
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135243458\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Fusion Render Slave.lnk = C:\Program Files\Fusion Render Slave\RenderSlave.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O21 - SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - C:\Program Files\Stardock\Object Desktop\IconPackager\iprepair.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

illukka · Apr 13, 2006

hi

welcome

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

luminousnerd · Apr 13, 2006

illukka said:
welcome

Thanks a ton

I have been using Spybot a while and it's the bomb. Thanks for helping me out.

illukka said:
Please copy/paste the content of that report into your next reply.

Okay, here 'tis:

SmitFraudFix v2.29

Scan done at 10:22:24.92, Thu 04/13/2006
Run from C:\Documents and Settings\LuminousNerd\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\amcompat.tlb FOUND !
C:\WINDOWS\system32\dfrgsrv.exe FOUND !
C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\interf.tlb FOUND !
C:\WINDOWS\system32\ld????.tmp FOUND !
C:\WINDOWS\system32\mssearchnet.exe FOUND !
C:\WINDOWS\system32\ncompat.tlb FOUND !
C:\WINDOWS\system32\nscompat.tlb FOUND !
C:\WINDOWS\system32\nvctrl.exe FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\1024\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\LuminousNerd\Application Data

C:\Documents and Settings\LuminousNerd\Application Data\Microsoft\Internet Explorer\Quick Launch\SpywareQuake 2.0.lnk FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\Documents and Settings\LuminousNerd\Start Menu\SpywareQuake 2.0.lnk FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\LuminousNerd\Favorites

C:\Documents and Settings\LuminousNerd\Favorites\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Security Toolbar\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

[HKEY_CLASSES_ROOT\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_CLASSES_ROOT\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

illukka · Apr 13, 2006

hi

yep, lets fix it then:

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

also post a new hiajckthis log

luminousnerd · Apr 16, 2006

Hey,

Sorry, don't know why but I didn't get an email reminder that you'd replied.

Anyhow, here are the results:

SmitFraudFix v2.29

Scan done at 14:11:00.40, Sun 04/16/2006
Run from C:\Documents and Settings\LuminousNerd\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\amcompat.tlb Deleted
C:\WINDOWS\system32\dfrgsrv.exe Deleted
C:\WINDOWS\system32\hp????.tmp Deleted
C:\WINDOWS\system32\interf.tlb Deleted
C:\WINDOWS\system32\ld????.tmp Deleted
C:\WINDOWS\system32\mssearchnet.exe Deleted
C:\WINDOWS\system32\ncompat.tlb Deleted
C:\WINDOWS\system32\nscompat.tlb Deleted
C:\WINDOWS\system32\nvctrl.exe Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\Program Files\Security Toolbar\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End

And the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:17:08 PM, on 4/16/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\AOL\1135243458\ee\AOLSoftware.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
C:\Program Files\Fusion Render Slave\RenderSlave.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Fusion Render Slave\eyeonScript.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijack This\HijackThis.exe

O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\WINDOWS\System32\hp2566.tmp (file missing)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135243458\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Fusion Render Slave.lnk = C:\Program Files\Fusion Render Slave\RenderSlave.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O21 - SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - C:\Program Files\Stardock\Object Desktop\IconPackager\iprepair.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

Thanks a ton

illukka · Apr 18, 2006

hi

open hijackthis

with all browsers and explorer windows checkmark and fix the following:
O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\WINDOWS\System32\hp2566.tmp (file missing)

reboot

go to Panda ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log

luminousnerd · Apr 18, 2006

illukka said:
hi

open hijackthis

with all browsers and explorer windows checkmark and fix the following:
O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\WINDOWS\System32\hp2566.tmp (file missing)

reboot

go to Panda ActiveScan

Once you are on the Panda site click the Scan your PC button

A new window will open...click the Check Now button

Enter your Country

Enter your State/Province

Enter your e-mail address and click send

Select either Home User or Company

Click the big Scan Now button

If it wants to install an ActiveX component allow it

It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)

When download is complete, click on Local Disks to start the scan

When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log

Hey,
Thanks tons for the help! After that last step you gave me though, the popups ceased and all is calm! I really appreciate your help, is this most recent set necesarry even if the malware is gone (at least it seems that way)?

illukka · Apr 18, 2006

hi

i assume that the the major infections is now gone
however ther may very well be hidden files so its better to runa a scan

the item to fix with hijackthis is an orphaned entry but fixing it will make it run smoother

luminousnerd · Apr 18, 2006

Okay, thanks tons for the help.

Panda:
Incident Status Location

Adware:adware/emediacodec Not disinfected C:\Documents and Settings\All Users\Desktop\Online Security Guide.url
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt[]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt[33645339]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt[]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\LuminousNerd\Cookies\luminousnerd@2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\LuminousNerd\Cookies\luminousnerd@ad.yieldmanager[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\LuminousNerd\Cookies\luminousnerd@atwola[2].txt
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\LuminousNerd\Cookies\luminousnerd@microsofteup.112.2o7[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\LuminousNerd\Desktop\SmitfraudFix\Process.exe
Adware:adware/securityerror Not disinfected C:\Documents and Settings\LuminousNerd\Favorites\Antivirus Test Online.url
Potentially unwanted tool:Application/SpywareQuake Not disinfected C:\Documents and Settings\LuminousNerd\Local Settings\Temp\sa6.exe
Potentially unwanted tool:Application/SpywareQuake Not disinfected C:\Documents and Settings\LuminousNerd\Local Settings\Temp\sa9.exe
Potentially unwanted tool:application/spywarequake Not disinfected C:\Documents and Settings\LuminousNerd\Start Menu\SpywareQuake 2.0.lnk
Adware:Adware/CWS.Searchmeup Not disinfected C:\Program Files\TechSmith\Camtasia Studio 3\cr-cs3012.exe[run.exe]
Potentially unwanted tool:Application/SpywareQuake Not disinfected C:\RECYCLER\S-1-5-21-1844237615-1409082233-682003330-500\Dc5\SpywareQuake.exe
Potentially unwanted tool:Application/SpywareQuake Not disinfected C:\RECYCLER\S-1-5-21-1844237615-1409082233-682003330-500\Dc5\uninst.exe
Adware:Adware/SpywareQuake Not disinfected C:\RECYCLER\S-1-5-21-1844237615-1409082233-682003330-500\Dc6\ld6360.tmp
Adware:Adware/SpywareQuake Not disinfected C:\RECYCLER\S-1-5-21-1844237615-1409082233-682003330-500\Dc6\ldB623.tmp
Adware:Adware/SpywareQuake Not disinfected C:\RECYCLER\S-1-5-21-1844237615-1409082233-682003330-500\Dc6\ldC17F.tmp
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

HJT
Logfile of HijackThis v1.99.1
Scan saved at 2:46:08 PM, on 4/18/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1135243458\ee\AOLSoftware.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Macromedia\Flash 8\Flash.exe
c:\program files\common files\aol\1135243458\ee\aim6.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijack This\HijackThis.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135243458\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Fusion Render Slave.lnk = C:\Program Files\Fusion Render Slave\RenderSlave.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O21 - SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - C:\Program Files\Stardock\Object Desktop\IconPackager\iprepair.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

illukka · Apr 19, 2006

hi

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

then do the panda scan again
post results here

also
post a fresh hjt log

luminousnerd · Apr 20, 2006

Wow, still crapped up eh?

Thanks for the help, here's the logs:

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 12:44:33 PM, on 4/19/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1135243458\ee\AOLSoftware.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
c:\program files\common files\aol\1135243458\ee\aim6.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Macromedia\Flash 8\Flash.exe
C:\Program Files\SmartFTP\SmartFTP.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135243458\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Fusion Render Slave.lnk = C:\Program Files\Fusion Render Slave\RenderSlave.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O21 - SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - C:\Program Files\Stardock\Object Desktop\IconPackager\iprepair.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

Panda:

Incident Status Location

Adware:adware/emediacodec Not disinfected C:\Documents and Settings\All Users\Desktop\Online Security Guide.url
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt[]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt[11719988]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt[]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt[91338698]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt[]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\LuminousNerd\Desktop\SmitfraudFix\Process.exe
Adware:adware/securityerror Not disinfected C:\Documents and Settings\LuminousNerd\Favorites\Antivirus Test Online.url
Potentially unwanted tool:Application/SpywareQuake Not disinfected C:\Documents and Settings\LuminousNerd\Local Settings\Temp\sa6.exe
Potentially unwanted tool:Application/SpywareQuake Not disinfected C:\Documents and Settings\LuminousNerd\Local Settings\Temp\sa9.exe
Potentially unwanted tool:application/spywarequake Not disinfected C:\Documents and Settings\LuminousNerd\Start Menu\SpywareQuake 2.0.lnk
Adware:Adware/CWS.Searchmeup Not disinfected C:\Program Files\TechSmith\Camtasia Studio 3\cr-cs3012.exe[run.exe]
Potentially unwanted tool:Application/SpywareQuake Not disinfected C:\RECYCLER\S-1-5-21-1844237615-1409082233-682003330-500\Dc5\SpywareQuake.exe
Potentially unwanted tool:Application/SpywareQuake Not disinfected C:\RECYCLER\S-1-5-21-1844237615-1409082233-682003330-500\Dc5\uninst.exe
Adware:Adware/SpywareQuake Not disinfected C:\RECYCLER\S-1-5-21-1844237615-1409082233-682003330-500\Dc6\ld6360.tmp
Adware:Adware/SpywareQuake Not disinfected C:\RECYCLER\S-1-5-21-1844237615-1409082233-682003330-500\Dc6\ldB623.tmp
Adware:Adware/SpywareQuake Not disinfected C:\RECYCLER\S-1-5-21-1844237615-1409082233-682003330-500\Dc6\ldC17F.tmp
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

illukka · Apr 20, 2006

hi

1. Please download Ewido Anti-Malware

Install ewido anti-malware
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

You will need to update ewido to the latest definition files.
- On the left hand side of the main screen click update.
- Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
Exit Ewido, do not run the scan yet!

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

4. Once in Safe Mode, Open Ewido:

Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido anti-malware.

reboot
back to normal mode
post the ewido report and a fresh hjt log

luminousnerd · Apr 23, 2006

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:45:14 PM, 4/20/2006
+ Report-Checksum: F9050A6B

+ Scan result:

:mozilla.6:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.7:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.8:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.9:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.10:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.12:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.14:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.15:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.16:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.18:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.19:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.22:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.32:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.35:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.36:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.37:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.38:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.39:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.40:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.41:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.42:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.43:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.44:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.45:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.46:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.54:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.61:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.63:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.64:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.65:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.75:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.76:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.77:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.78:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.97:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.98:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.99:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.111:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.112:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.113:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.114:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.115:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.118:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.119:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.124:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.131:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.132:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.133:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.134:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.138:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.145:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.149:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.150:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.151:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.152:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.153:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.154:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Commission-junction : Cleaned with backup
:mozilla.155:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Commission-junction : Cleaned with backup
:mozilla.158:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.159:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.160:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.161:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.162:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.173:C:\Documents and Settings\LuminousNerd\Application Data\Mozilla\Firefox\Profiles\ssut1m9t.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
C:\Documents and Settings\LuminousNerd\Cookies\luminousnerd@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Program Files\LightWave [8]\Programs\ssg-lw80.exe -> Trojan.Agent.jh : Cleaned with backup
C:\Program Files\TechSmith\Camtasia Studio 3\cr-cs3012.exe/run.exe -> Downloader.PassAlert.e : Error during cleaning
C:\RECYCLER\S-1-5-21-1844237615-1409082233-682003330-500\Dc6\ld6360.tmp -> Not-A-Virus.Hoax.Win32.Renos.cc : Cleaned with backup
C:\RECYCLER\S-1-5-21-1844237615-1409082233-682003330-500\Dc6\ldB623.tmp -> Not-A-Virus.Hoax.Win32.Renos.cc : Cleaned with backup
C:\RECYCLER\S-1-5-21-1844237615-1409082233-682003330-500\Dc6\ldC17F.tmp -> Not-A-Virus.Hoax.Win32.Renos.cc : Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 1:05:05 AM, on 4/23/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\AOL\1135243458\ee\AOLSoftware.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
C:\Program Files\Fusion Render Slave\RenderSlave.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
c:\program files\common files\aol\1135243458\ee\aim6.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Fusion Render Slave\eyeonScript.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Macromedia\Flash 8\Flash.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijack This\HijackThis.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135243458\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Fusion Render Slave.lnk = C:\Program Files\Fusion Render Slave\RenderSlave.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O21 - SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - C:\Program Files\Stardock\Object Desktop\IconPackager\iprepair.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

illukka · Apr 23, 2006

hi

looks clean

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Reenable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
  - Change the Download signed ActiveX controls to Prompt
  - Change the Download unsigned ActiveX controls to Disable
  - Change the Initialize and script ActiveX controls not marked as safe to Disable
  - Change the Installation of desktop items to Prompt
  - Change the Launching programs and files in an IFRAME to Prompt
  - Change the Navigate sub-frames across different domains to Prompt
  - When all these settings have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

also remember to keep your java updated, see this topic for instructions
http://forums.spybot.info/showthread.php?t=2559

luminousnerd · Apr 23, 2006

Thanks much. I've been looking for programs like these...Spybot alone just doesn't do the trick. Even with Ad-Aware, AVG, MS Anti-Spyware, and Hijack This, things get through. Hopefully, Ewido, ATF, and the others you've suggested will help me keep clean!

Thanks tons

illukka · Apr 25, 2006

hi

as the problem here is resolved this topic will now be archived
to prevent others with similar problems posting to it instead of starting new topics

if you need it reopened contact the forum staff. this applies to the original poster only

glad we could help

Annoying Spyware Application spawning popups, etc

luminousnerd

New member

illukka

Expert-Emeritus

luminousnerd

New member

illukka

Expert-Emeritus

luminousnerd

New member

illukka

Expert-Emeritus

luminousnerd

New member

illukka

Expert-Emeritus

luminousnerd

New member

illukka

Expert-Emeritus

luminousnerd

New member

illukka

Expert-Emeritus

luminousnerd

New member

illukka

Expert-Emeritus

luminousnerd

New member

illukka

Expert-Emeritus