Author Topic: Changed home page (Read 4419 times)

Guy · « **on:** December 07, 2004, 01:24:51 PM »

Please help, i have found the ntnut.exe file but cannot delete it. Thanks

Logfile of HijackThis v1.98.2
Scan saved at 15:34:17, on 7/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\VIAudioi\SBADeck\ADeck.exe
C:\Arquivos de programas\iGv6\Discador iG.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Arquivos de programas\DIGStream\digstream.exe
C:\WINDOWS\system32\ntnut.exe
C:\Arquivos de programas\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\ARQUIV~1\iGv6\sysbrand.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe
C:\Arquivos de programas\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find-on-the-net.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocpe.dll/security.htm#subID=BSW;677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://farejador.ig.com.br/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://farejador.ig.com.br
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpe.dll/asst.htm
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
O3 - Toolbar: IE Search Toolbar - {EB381422-F797-4A98-A266-9DC490821907} - C:\Arquivos de programas\IESearchToolbar\IESearchToolbar.dll
O4 - HKLM\..\Run: [AudioDeck] C:\Arquivos de programas\VIAudioi\SBADeck\ADeck.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Discador iG] "C:\Arquivos de programas\iGv6\Discador iG.exe" boot
O4 - HKLM\..\Run: [Windows Compliant] bxfhzm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [DIGStream] C:\Arquivos de programas\DIGStream\digstream.exe
O4 - HKLM\..\Run: [FX] C:\WINDOWS\Downloaded Program Files\ieloader.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Arquivos de programas\Creative\Video Blaster WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [Fast start] C:\WINDOWS\system32\ntnut.exe home
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\RunServices: [Windows Compliant] bxfhzm.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SysBrand] "C:\ARQUIV~1\iGv6\sysbrand.exe"
O4 - HKCU\..\Run: [Worms2.exe] C:\DOCUME~1\JACQUE~1\Desktop\Jogos\Worms2.exe /r
O4 - HKCU\..\Run: [Slta] C:\Documents and Settings\Jacqueline\Dados de aplicativos\tets.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Arquivos de programas\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra button: Barra do iG - {FD1672E0-AE0D-465B-B345-F7B0944A121D} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_4us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA2F02FD-C012-4C77-93CE-932B0491908F}: NameServer = 200.165.132.154 200.165.132.147

guestolo · « **Reply #1 on:** December 07, 2004, 08:44:52 PM »

Hi Guy, actually your log shows a few problems
This may not be fixed in one response but can be fixed if you stick with me

I need you to download a few tools to help fix this up and follow everything I outline to do

These Spyware Removal programs are yours for free and to hang onto
First, can you download and install
Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version
If you don't have this verision,install this one
After installation-CHECK FOR UPDATES
Allow to download updates
Do a Full system scan----Remove All Critical objects
RESTART your computer to finish the cleaning process

Next:
Download and Install Spybot S&D 1.3
After installation--SEARCH FOR UPDATES
Download All updates
Check for Problems---FIX everything in RED
Restart your computer again to finish the cleaning process

Back in Windows
I also need you to download these small downloads to check for certain infections
Download ServiceFilter
Give the link time to load

This reveals potential unauthorised running services in your system. Download, unzip the Contents to a Folder and double-click ServiceFilter.vbs >>Allow this to run, it's only collecting information.(Even if your AV prompts you) This script will create a text file named Post_This.txt in the same folder as the script itself has been saved

Can you Download DLLCompare

Start the Program and click the Run Locate.com
Default settings should work---C:\Windows\System32 directory
Let it complete the SCAN, which won't take long
Click the Compare button to start the next process.This will take a bit longer.

When it's done click the Make a log of what was found button and post it back here

One last download
Download VX2Finder from this link:
VX2Finder(126).exe
Run Vx2Finder and click on the "Click to find VX2.BetterInternet button."

Click the Make Log button.
Save the log and post it back here later

Recap
Download, Install, update and run scans with both Ad-Aware and Spybot
Restarting your computer in between

Post back here The DllCompare log---VX2 Finder log----
Post_This.txt from Servicefilter
Could you also post back a fresh hijackthis log, thanks

Guy · « **Reply #2 on:** December 08, 2004, 09:32:33 PM »

Thank you so much for your help so far. I have run updated scans of ad-aware and spybot andi have restarted the computer each time. Below you will find a copy of the logs of all the other scans. Once again thank you so much.

* DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\en68l1~1.dll Tue 7 Dec 2004 10:28:48 ..S.R 223.146 217,91 K
C:\WINDOWS\SYSTEM32\f4j20e~1.dll Tue 7 Dec 2004 13:39:04 ..S.R 226.261 220,96 K
C:\WINDOWS\SYSTEM32\fn0021~1.dll Mon 6 Dec 2004 18:02:26 ..S.R 224.542 219,28 K
C:\WINDOWS\SYSTEM32\gp82l3~1.dll Wed 8 Dec 2004 11:38:38 ..S.R 224.460 219,20 K
C:\WINDOWS\SYSTEM32\kt86l7~1.dll Wed 8 Dec 2004 23:04:02 ..S.R 222.495 217,28 K
C:\WINDOWS\SYSTEM32\l68mlg~1.dll Wed 8 Dec 2004 23:22:22 ..S.R 223.352 218,12 K
C:\WINDOWS\SYSTEM32\n26qlc~1.dll Wed 8 Dec 2004 20:33:18 ..S.R 222.989 217,76 K
C:\WINDOWS\SYSTEM32\shdocpe.dll Mon 6 Dec 2004 17:30:26 ..SHR 30.208 29,50 K
________________________________________________

1.211 items found: 1.211 files (8 H/S), 0 directories.
Total of file sizes: 215.764.782 bytes 205,77 M

Administrator Account = True

--------------------End log---------------------

Logfile of HijackThis v1.98.2
Scan saved at 23:33:29, on 8/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\VIAudioi\SBADeck\ADeck.exe
C:\Arquivos de programas\iGv6\Discador iG.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Arquivos de programas\DIGStream\digstream.exe
C:\Arquivos de programas\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\ARQUIV~1\iGv6\sysbrand.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe
C:\Arquivos de programas\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find-on-the-net.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocpe.dll/security.htm#subID=BSW;677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://farejador.ig.com.br/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://farejador.ig.com.br
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpe.dll/asst.htm
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\iGv6\igshop.dll
O3 - Toolbar: IE Search Toolbar - {EB381422-F797-4A98-A266-9DC490821907} - C:\Arquivos de programas\IESearchToolbar\IESearchToolbar.dll
O4 - HKLM\..\Run: [AudioDeck] C:\Arquivos de programas\VIAudioi\SBADeck\ADeck.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Discador iG] "C:\Arquivos de programas\iGv6\Discador iG.exe" boot
O4 - HKLM\..\Run: [Windows Compliant] bxfhzm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [DIGStream] C:\Arquivos de programas\DIGStream\digstream.exe
O4 - HKLM\..\Run: [FX] C:\WINDOWS\Downloaded Program Files\ieloader.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Arquivos de programas\Creative\Video Blaster WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [Fast start] C:\WINDOWS\system32\ntnut.exe home
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\RunServices: [Windows Compliant] bxfhzm.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SysBrand] "C:\ARQUIV~1\iGv6\sysbrand.exe"
O4 - HKCU\..\Run: [Worms2.exe] C:\DOCUME~1\JACQUE~1\Desktop\Jogos\Worms2.exe /r
O4 - HKCU\..\Run: [Slta] C:\Documents and Settings\Jacqueline\Dados de aplicativos\tets.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra button: Barra do iG - {FD1672E0-AE0D-465B-B345-F7B0944A121D} - C:\ARQUIV~1\iGv6\igshop.dll
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_4us.cab

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Professional
Version: 5.1.2600
dez 8, 2004 23:30:12

===> Begin Service Listing <===

Unknown Service #1
Service Name: Avg7Alrt
Display Name: AVG7 Alert Manager Server
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\arquiv~1\grisoft\avgfre~1\avgamsvr.exe
State: Running
Process ID: 128
Started: Verdadeiro
Exit Code: 0
Accept Pause: Falso
Accept Stop: Verdadeiro

Unknown Service #2
Service Name: Avg7UpdSvc
Display Name: AVG7 Update Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\arquiv~1\grisoft\avgfre~1\avgupsvc.exe
State: Running
Process ID: 184
Started: Verdadeiro
Exit Code: 0
Accept Pause: Falso
Accept Stop: Verdadeiro

Unknown Service # 3
Service Name: ewido security suite control
Display Name: ewido security suite control
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\arquivos de programas\ewido\security suite\ewidoctrl.exe
State: Running
Process ID: 228
Started: Verdadeiro
Exit Code: 0
Accept Pause: Falso
Accept Stop: Verdadeiro

Unknown Service # 4
Service Name: ewido security suite guard
Display Name: ewido security suite guard
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\arquivos de programas\ewido\security suite\ewidoguard.exe
State: Running
Process ID: 252
Started: Verdadeiro
Exit Code: 0
Accept Pause: Falso
Accept Stop: Verdadeiro

Unknown Service #5
Service Name: ssoftservice
Display Name: Cryptainer service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: ssoftsrv.exe
State: Running
Process ID: 416
Started: Verdadeiro
Exit Code: 0
Accept Pause: Falso
Accept Stop: Verdadeiro

Unknown Service #6
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Gerencia cópias de sombra de volume baseadas em software obtidas pelo serviço de cópias de sombra ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{3ae45947-5759-46db-9bc6-5c79eb0f021c}
State: Stopped
Process ID: 0
Started: Falso
Exit Code: 1077
Accept Pause: Falso
Accept Stop: Falso

---> End Service Listing <---

There are 82 Win32 services on this machine.
6 were unrecognized.

Script Execution Time: 2 seconds.

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
MS-DOS Emulation
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon

Guardian Key--- is called:

User Agent String---
{20B2C9A7-ADF8-461F-842B-0941A98B562E}

guestolo · « **Reply #3 on:** December 08, 2004, 10:37:33 PM »

Good work
I need you to do a couple other steps before we tackle the main problem

First would you please down Windows CleanUp!
Give the link time to load--It's a small download, this will help to clean your temporary folders, cookies, and prefetch folder
Install it but Don't run it yet

Set Windows to Show Hidden Files and folders
lick Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
Name the file as fix.reg
Important>>>Change the Save as Type to All Files.
Save this file on the desktop, well need this later, don't run it yet

Quote

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains][-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
"CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="Search Bar"="http://search.msn.com/intl/searchpane/en-au/prov2.htm"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
""="http://home.microsoft.com/access/autosearch.asp?p=%s"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="http://search.msn.com/spbasic.htm"
"Use Custom Search URL"= dword:00000000

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find-on-the-net.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocpe.dll/security.htm#subID=BSW;677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://farejador.ig.com.br/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://farejador.ig.com.br
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpe.dll/asst.htm
R3 - Default URLSearchHook is missing

O3 - Toolbar: IE Search Toolbar - {EB381422-F797-4A98-A266-9DC490821907} - C:\Arquivos de programas\IESearchToolbar\IESearchToolbar.dll

O4 - HKLM\..\Run: [Fast start] C:\WINDOWS\system32\ntnut.exe home

O4 - HKLM\..\RunServices: [Windows Compliant] bxfhzm.exe

O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.windupdates.com

After you have ticked the above entries, close down All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES to the prompt and exit Hijackthis

Restart your computer into safe mode
you can do this by tapping the F8 key when your System is first booting up or follow the directions from this link
SAFE MODE

Find and delete these files or folders if they exist
C:\WINDOWS\system32\ntnut.exe <--file

C:\Arquivos de programas\IESearchToolbar <--folder

Stay in safe mode
Double click on fix.reg and Allow it to merge to the registry

Open Cleanup and click on the Cleanup button
Let if finish scanning for files
Restart your computer back to Normal Mode

Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Reset home page

Post back with a fresh Hijackthis log
Do another scan with DLLCompare and post back that log too
Also Post back a new scan with VX2 Finder

Could you also Download Findit.zip

Please download it to your desktop, unzip it, then double-click on it to run it. It should run for a few seconds, then open a text document. Please copy and paste the contents of that document here
You can close out the text file after and hit a key on your keyboard to close out the .bat utility

The above should help identify all the bad files running and let us deal with it later

Guy · « **Reply #4 on:** December 09, 2004, 07:21:09 AM »

I have run into another problem, when i reboot in safe mode and i begin to look for the ntnut.exe file and IESearchtoolbar folder, my keyboard stops working. I cannot type in that mode for some reason. What should i do now.

guestolo · « **Reply #5 on:** December 09, 2004, 09:23:11 AM »

Most of what I asked you to do is in Normal Mode, do what you can in Normal and then Restart into safe mode and use your mouse to navigate to those files and delete them and merge the registry item

If not Restart back into Normal and try deleting

Guy · « **Reply #6 on:** December 09, 2004, 11:25:50 AM »

Well so far so good. I hope.

* DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\en68l1~1.dll Tue 7 Dec 2004 10:28:48 ..S.R 223.146 217,91 K
C:\WINDOWS\SYSTEM32\f2l00c~1.dll Thu 9 Dec 2004 9:22:56 ..S.R 223.036 217,81 K
C:\WINDOWS\SYSTEM32\f4j20e~1.dll Tue 7 Dec 2004 13:39:04 ..S.R 226.261 220,96 K
C:\WINDOWS\SYSTEM32\fn0021~1.dll Mon 6 Dec 2004 18:02:26 ..S.R 224.542 219,28 K
C:\WINDOWS\SYSTEM32\gp82l3~1.dll Wed 8 Dec 2004 11:38:38 ..S.R 224.460 219,20 K
C:\WINDOWS\SYSTEM32\gpl2l3~1.dll Thu 9 Dec 2004 13:19:08 ..S.R 222.824 217,60 K
C:\WINDOWS\SYSTEM32\i2240c~1.dll Thu 9 Dec 2004 9:25:26 ..S.R 224.367 219,11 K
C:\WINDOWS\SYSTEM32\lv8809~1.dll Thu 9 Dec 2004 12:26:00 ..S.R 226.019 220,72 K
C:\WINDOWS\SYSTEM32\lv8o09~1.dll Thu 9 Dec 2004 13:03:02 ..S.R 222.402 217,19 K
C:\WINDOWS\SYSTEM32\n26qlc~1.dll Wed 8 Dec 2004 20:33:18 ..S.R 222.989 217,76 K
C:\WINDOWS\SYSTEM32\n4r2le~1.dll Thu 9 Dec 2004 8:45:42 ..S.R 223.879 218,63 K
C:\WINDOWS\SYSTEM32\o8pqli~1.dll Thu 9 Dec 2004 12:55:54 ..S.R 223.191 217,96 K
C:\WINDOWS\SYSTEM32\p46sle~1.dll Thu 9 Dec 2004 13:21:00 ..S.R 226.019 220,72 K
C:\WINDOWS\SYSTEM32\shdocpe.dll Mon 6 Dec 2004 17:30:26 ..SHR 30.208 29,50 K
________________________________________________

1.235 items found: 1.235 files (14 H/S), 0 directories.
Total of file sizes: 228.930.195 bytes 218,32 M

Administrator Account = True

--------------------End log---------------------

Logfile of HijackThis v1.98.2
Scan saved at 13:30:32, on 9/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\VIAudioi\SBADeck\ADeck.exe
C:\Arquivos de programas\iGv6\Discador iG.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Arquivos de programas\DIGStream\digstream.exe
C:\Arquivos de programas\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\ARQUIV~1\iGv6\sysbrand.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe
C:\Arquivos de programas\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\HJT\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veloxzone.com.br/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
O4 - HKLM\..\Run: [AudioDeck] C:\Arquivos de programas\VIAudioi\SBADeck\ADeck.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Discador iG] "C:\Arquivos de programas\iGv6\Discador iG.exe" boot
O4 - HKLM\..\Run: [Windows Compliant] bxfhzm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [DIGStream] C:\Arquivos de programas\DIGStream\digstream.exe
O4 - HKLM\..\Run: [FX] C:\WINDOWS\Downloaded Program Files\ieloader.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Arquivos de programas\Creative\Video Blaster WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SysBrand] "C:\ARQUIV~1\iGv6\sysbrand.exe"
O4 - HKCU\..\Run: [Worms2.exe] C:\DOCUME~1\JACQUE~1\Desktop\Jogos\Worms2.exe /r
O4 - HKCU\..\Run: [Slta] C:\Documents and Settings\Jacqueline\Dados de aplicativos\tets.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra button: Barra do iG - {FD1672E0-AE0D-465B-B345-F7B0944A121D} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
O12 - Plugin for .pdf: C:\Arquivos de programas\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_4us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA2F02FD-C012-4C77-93CE-932B0491908F}: NameServer = 200.165.132.154 200.165.132.147

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
App Paths
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon

Guardian Key--- is called:

User Agent String---
{20B2C9A7-ADF8-461F-842B-0941A98B562E}

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

O volume na unidade C nÆo tem nome.
O n£mero de s‚rie do volume ‚ 90C4-AC26

Pasta de C:\WINDOWS\System32

09/12/2004 13:20 226.019 p46slej71ho.dll
09/12/2004 13:19 222.824 gpl2l33o1.dll
09/12/2004 13:03 222.402 lv8o09l3e.dll
09/12/2004 12:55 223.191 o8pqli7518.dll
09/12/2004 12:25 226.019 lv8809lue.dll
09/12/2004 10:11 <DIR> dllcache
09/12/2004 09:25 224.367 i2240cfqef2e0.dll
09/12/2004 09:22 223.036 f2l00c3mef.dll
09/12/2004 08:45 223.879 n4r2le9o1h.dll
08/12/2004 20:33 222.989 n26qlcj51fo.dll
08/12/2004 11:38 224.460 gp82l3lo1.dll
07/12/2004 13:39 226.261 f4j20e1oeh.dll
07/12/2004 10:28 223.146 en68l1ju1.dll
06/12/2004 18:02 224.542 fn0021dmg.dll
06/12/2004 17:30 30.208 shdocpe.dll
14 arquivo(s) 2.943.343 bytes
1 pasta(s) 33.093.005.312 bytes dispon¡veis

------- Hidden Files in System32 Directory -------

O volume na unidade C nÆo tem nome.
O n£mero de s‚rie do volume ‚ 90C4-AC26

Pasta de C:\WINDOWS\System32

09/12/2004 10:11 <DIR> dllcache
06/12/2004 17:30 30.208 shdocpe.dll
06/11/2004 15:29 488 WindowsLogon.manifest
06/11/2004 15:29 488 logonui.exe.manifest
06/11/2004 15:29 749 sapi.cpl.manifest
06/11/2004 15:29 749 nwc.cpl.manifest
06/11/2004 15:29 749 cdplayer.exe.manifest
06/11/2004 15:29 749 wuaucpl.cpl.manifest
06/11/2004 15:29 749 ncpa.cpl.manifest
8 arquivo(s) 34.929 bytes
1 pasta(s) 33.093.001.216 bytes dispon¡veis

---------- Files Named "Guard" -------------

O volume na unidade C nÆo tem nome.
O n£mero de s‚rie do volume ‚ 90C4-AC26

Pasta de C:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

O volume na unidade C nÆo tem nome.
O n£mero de s‚rie do volume ‚ 90C4-AC26

Pasta de C:\WINDOWS\System32

28/10/2001 15:06 2.969 CONFIG.TMP
1 arquivo(s) 2.969 bytes
0 pasta(s) 33.092.997.120 bytes dispon¡veis

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{20B2C9A7-ADF8-461F-842B-0941A98B562E}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lv8809lue.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

---------------- Xfind Results -----------------

C:\WINDOWS\System32\LV8809~1.DLL +++ File read error

-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM32\
en68l1~1.dll Tue 7 Dec 2004 10:28:48 ..S.R 223.146 217,91 K
f2l00c~1.dll Thu 9 Dec 2004 9:22:56 ..S.R 223.036 217,81 K
f4j20e~1.dll Tue 7 Dec 2004 13:39:04 ..S.R 226.261 220,96 K
fn0021~1.dll Mon 6 Dec 2004 18:02:26 ..S.R 224.542 219,28 K
gp82l3~1.dll Wed 8 Dec 2004 11:38:38 ..S.R 224.460 219,20 K
gpl2l3~1.dll Thu 9 Dec 2004 13:19:08 ..S.R 222.824 217,60 K
i2240c~1.dll Thu 9 Dec 2004 9:25:26 ..S.R 224.367 219,11 K
lv8809~1.dll Thu 9 Dec 2004 12:26:00 ..S.R 226.019 220,72 K
lv8o09~1.dll Thu 9 Dec 2004 13:03:02 ..S.R 222.402 217,19 K
n26qlc~1.dll Wed 8 Dec 2004 20:33:18 ..S.R 222.989 217,76 K
n4r2le~1.dll Thu 9 Dec 2004 8:45:42 ..S.R 223.879 218,63 K
o8pqli~1.dll Thu 9 Dec 2004 12:55:54 ..S.R 223.191 217,96 K
p46sle~1.dll Thu 9 Dec 2004 13:21:00 ..S.R 226.019 220,72 K
shdocpe.dll Mon 6 Dec 2004 17:30:26 ..SHR 30.208 29,50 K

14 items found: 14 files, 0 directories.
Total of file sizes: 2.943.343 bytes 2,80 M

I hope this is right so far.

guestolo · « **Reply #7 on:** December 11, 2004, 11:50:48 PM »

Sorry for the delay
Can you please post a fresh Hijackthis log
DllCompare Log and
Download this version of ---It's been updated
Findit.zip
Unzip the contents to Desktop
Open the folder and Double click on find.bat to run it
Let it scan and post the results please

Guy · « **Reply #8 on:** December 13, 2004, 12:46:19 PM »

No prob about the delay. One wuestion before i paste the relevent info, when i run a scan with adaware and it brings up VX2 files ,can i select all these to be repaired.

Logfile of HijackThis v1.98.2
Scan saved at 14:52:04, on 13/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\VIAudioi\SBADeck\ADeck.exe
C:\Arquivos de programas\iGv6\Discador iG.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Arquivos de programas\DIGStream\digstream.exe
C:\Arquivos de programas\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\ARQUIV~1\iGv6\sysbrand.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Arquivos de programas\ewido\security suite\ewidoguard.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\HJT\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veloxzone.com.br/home
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
O4 - HKLM\..\Run: [AudioDeck] C:\Arquivos de programas\VIAudioi\SBADeck\ADeck.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Discador iG] "C:\Arquivos de programas\iGv6\Discador iG.exe" boot
O4 - HKLM\..\Run: [Windows Compliant] bxfhzm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [DIGStream] C:\Arquivos de programas\DIGStream\digstream.exe
O4 - HKLM\..\Run: [FX] C:\WINDOWS\Downloaded Program Files\ieloader.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Arquivos de programas\Creative\Video Blaster WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SysBrand] "C:\ARQUIV~1\iGv6\sysbrand.exe"
O4 - HKCU\..\Run: [Worms2.exe] C:\DOCUME~1\JACQUE~1\Desktop\Jogos\Worms2.exe /r
O4 - HKCU\..\Run: [Slta] C:\Documents and Settings\Jacqueline\Dados de aplicativos\tets.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra button: Barra do iG - {FD1672E0-AE0D-465B-B345-F7B0944A121D} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
O12 - Plugin for .pdf: C:\Arquivos de programas\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_4us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA2F02FD-C012-4C77-93CE-932B0491908F}: NameServer = 200.165.132.154 200.165.132.147

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

O volume na unidade C nÆo tem nome.
O n£mero de s‚rie do volume ‚ 90C4-AC26

Pasta de C:\WINDOWS\System32

13/12/2004 14:46 223.243 guard.tmp
13/12/2004 11:25 224.241 t0r80a9ued.dll
13/12/2004 10:28 225.424 n22ulcf91f2.dll
11/12/2004 22:17 225.792 fpr0039me.dll
11/12/2004 16:50 223.405 m6po0g73e6.dll
11/12/2004 15:49 224.796 ibrop.dll
11/12/2004 09:38 225.005 j40s0ed7eh0.dll
10/12/2004 07:21 223.190 f0l02a3mgd.dll
10/12/2004 07:21 222.636 jtn8075ue.dll
09/12/2004 13:19 222.824 gpl2l33o1.dll
09/12/2004 13:03 222.402 lv8o09l3e.dll
09/12/2004 12:55 223.191 o8pqli7518.dll
09/12/2004 10:11 <DIR> dllcache
09/12/2004 09:25 224.367 i2240cfqef2e0.dll
09/12/2004 09:22 223.036 f2l00c3mef.dll
09/12/2004 08:45 223.879 n4r2le9o1h.dll
08/12/2004 20:33 222.989 n26qlcj51fo.dll
08/12/2004 11:38 224.460 gp82l3lo1.dll
07/12/2004 13:39 226.261 f4j20e1oeh.dll
07/12/2004 10:28 223.146 en68l1ju1.dll
06/12/2004 18:02 224.542 fn0021dmg.dll
06/12/2004 17:30 30.208 shdocpe.dll
21 arquivo(s) 4.509.037 bytes
1 pasta(s) 32.753.995.776 bytes dispon¡veis

------- Hidden Files in System32 Directory -------

O volume na unidade C nÆo tem nome.
O n£mero de s‚rie do volume ‚ 90C4-AC26

Pasta de C:\WINDOWS\System32

09/12/2004 10:11 <DIR> dllcache
06/12/2004 17:30 30.208 shdocpe.dll
06/11/2004 15:29 488 WindowsLogon.manifest
06/11/2004 15:29 488 logonui.exe.manifest
06/11/2004 15:29 749 sapi.cpl.manifest
06/11/2004 15:29 749 nwc.cpl.manifest
06/11/2004 15:29 749 cdplayer.exe.manifest
06/11/2004 15:29 749 wuaucpl.cpl.manifest
06/11/2004 15:29 749 ncpa.cpl.manifest
8 arquivo(s) 34.929 bytes
1 pasta(s) 32.753.991.680 bytes dispon¡veis

---------- Files Named "Guard" -------------

O volume na unidade C nÆo tem nome.
O n£mero de s‚rie do volume ‚ 90C4-AC26

Pasta de C:\WINDOWS\System32

13/12/2004 14:46 223.243 guard.tmp
1 arquivo(s) 223.243 bytes
0 pasta(s) 32.753.987.584 bytes dispon¡veis

--------- Temp Files in System32 Directory --------

O volume na unidade C nÆo tem nome.
O n£mero de s‚rie do volume ‚ 90C4-AC26

Pasta de C:\WINDOWS\System32

13/12/2004 14:46 223.243 guard.tmp
28/10/2001 15:06 2.969 CONFIG.TMP
2 arquivo(s) 226.212 bytes
0 pasta(s) 32.753.987.584 bytes dispon¡veis

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{20B2C9A7-ADF8-461F-842B-0941A98B562E}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SMDEn]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\q4nule591h.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

---------------- Xfind Results -----------------

C:\WINDOWS\System32\GUARD.TMP +++ File read error

-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM32\
cdplay~1.man Sat 6 Nov 2004 15:29:34 A..HR 749 0,73 K
en68l1~1.dll Tue 7 Dec 2004 10:28:48 ..S.R 223.146 217,91 K
f0l02a~1.dll Fri 10 Dec 2004 7:21:16 ..S.R 223.190 217,96 K
f2l00c~1.dll Thu 9 Dec 2004 9:22:56 ..S.R 223.036 217,81 K
f4j20e~1.dll Tue 7 Dec 2004 13:39:04 ..S.R 226.261 220,96 K
fn0021~1.dll Mon 6 Dec 2004 18:02:26 ..S.R 224.542 219,28 K
fpr003~1.dll Sat 11 Dec 2004 22:17:02 ..S.R 225.792 220,50 K
gp82l3~1.dll Wed 8 Dec 2004 11:38:38 ..S.R 224.460 219,20 K
gpl2l3~1.dll Thu 9 Dec 2004 13:19:08 ..S.R 222.824 217,60 K
guard.tmp Mon 13 Dec 2004 14:46:28 ..S.R 223.243 218,01 K
i2240c~1.dll Thu 9 Dec 2004 9:25:26 ..S.R 224.367 219,11 K
ibrop.dll Sat 11 Dec 2004 15:49:54 ..S.R 224.796 219,53 K
j40s0e~1.dll Sat 11 Dec 2004 9:38:12 ..S.R 225.005 219,73 K
jtn807~1.dll Fri 10 Dec 2004 7:21:14 ..S.R 222.636 217,42 K
logonu~1.man Sat 6 Nov 2004 15:29:40 A..HR 488 0,48 K
lv8o09~1.dll Thu 9 Dec 2004 13:03:02 ..S.R 222.402 217,19 K
m6po0g~1.dll Sat 11 Dec 2004 16:50:12 ..S.R 223.405 218,17 K
n22ulc~1.dll Mon 13 Dec 2004 10:28:04 ..S.R 225.424 220,14 K
n26qlc~1.dll Wed 8 Dec 2004 20:33:18 ..S.R 222.989 217,76 K
n4r2le~1.dll Thu 9 Dec 2004 8:45:42 ..S.R 223.879 218,63 K
ncpacp~1.man Sat 6 Nov 2004 15:29:34 A..HR 749 0,73 K
nwccpl~1.man Sat 6 Nov 2004 15:29:34 A..HR 749 0,73 K
o8pqli~1.dll Thu 9 Dec 2004 12:55:54 ..S.R 223.191 217,96 K
sapicp~1.man Sat 6 Nov 2004 15:29:34 A..HR 749 0,73 K
shdocpe.dll Mon 6 Dec 2004 17:30:26 ..SHR 30.208 29,50 K
t0r80a~1.dll Mon 13 Dec 2004 11:25:52 ..S.R 224.241 218,98 K
window~1.man Sat 6 Nov 2004 15:29:40 A..HR 488 0,48 K
wuaucp~1.man Sat 6 Nov 2004 15:29:34 A..HR 749 0,73 K

28 items found: 28 files, 0 directories.
Total of file sizes: 4.513.758 bytes 4,30 M

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
SMDEn
termsrv
wlballoon

Guardian Key--- is called:

User Agent String---
{20B2C9A7-ADF8-461F-842B-0941A98B562E}

* DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\en68l1~1.dll Tue 7 Dec 2004 10:28:48 ..S.R 223.146 217,91 K
C:\WINDOWS\SYSTEM32\f0l02a~1.dll Fri 10 Dec 2004 7:21:16 ..S.R 223.190 217,96 K
C:\WINDOWS\SYSTEM32\f2l00c~1.dll Thu 9 Dec 2004 9:22:56 ..S.R 223.036 217,81 K
C:\WINDOWS\SYSTEM32\f4j20e~1.dll Tue 7 Dec 2004 13:39:04 ..S.R 226.261 220,96 K
C:\WINDOWS\SYSTEM32\fn0021~1.dll Mon 6 Dec 2004 18:02:26 ..S.R 224.542 219,28 K
C:\WINDOWS\SYSTEM32\fpr003~1.dll Sat 11 Dec 2004 22:17:02 ..S.R 225.792 220,50 K
C:\WINDOWS\SYSTEM32\gp82l3~1.dll Wed 8 Dec 2004 11:38:38 ..S.R 224.460 219,20 K
C:\WINDOWS\SYSTEM32\gpl2l3~1.dll Thu 9 Dec 2004 13:19:08 ..S.R 222.824 217,60 K
C:\WINDOWS\SYSTEM32\i2240c~1.dll Thu 9 Dec 2004 9:25:26 ..S.R 224.367 219,11 K
C:\WINDOWS\SYSTEM32\ibrop.dll Sat 11 Dec 2004 15:49:54 ..S.R 224.796 219,53 K
C:\WINDOWS\SYSTEM32\j40s0e~1.dll Sat 11 Dec 2004 9:38:12 ..S.R 225.005 219,73 K
C:\WINDOWS\SYSTEM32\jtn807~1.dll Fri 10 Dec 2004 7:21:14 ..S.R 222.636 217,42 K
C:\WINDOWS\SYSTEM32\lv8o09~1.dll Thu 9 Dec 2004 13:03:02 ..S.R 222.402 217,19 K
C:\WINDOWS\SYSTEM32\m6po0g~1.dll Sat 11 Dec 2004 16:50:12 ..S.R 223.405 218,17 K
C:\WINDOWS\SYSTEM32\n22ulc~1.dll Mon 13 Dec 2004 10:28:04 ..S.R 225.424 220,14 K
C:\WINDOWS\SYSTEM32\n26qlc~1.dll Wed 8 Dec 2004 20:33:18 ..S.R 222.989 217,76 K
C:\WINDOWS\SYSTEM32\n4r2le~1.dll Thu 9 Dec 2004 8:45:42 ..S.R 223.879 218,63 K
C:\WINDOWS\SYSTEM32\o8pqli~1.dll Thu 9 Dec 2004 12:55:54 ..S.R 223.191 217,96 K
C:\WINDOWS\SYSTEM32\shdocpe.dll Mon 6 Dec 2004 17:30:26 ..SHR 30.208 29,50 K
C:\WINDOWS\SYSTEM32\t0r80a~1.dll Mon 13 Dec 2004 11:25:52 ..S.R 224.241 218,98 K
________________________________________________

1.262 items found: 1.262 files (20 H/S), 0 directories.
Total of file sizes: 235.650.088 bytes 224,73 M

Administrator Account = True

--------------------End log---------------------

guestolo · « **Reply #9 on:** December 15, 2004, 12:18:39 AM »

Some things may of changed since the last post

Here's what we should try, first open up Ad-Aware and check for updates, but don't run a scan yet

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Download and Unzip to a folder of your choice
Hoster

Print out the rest of these instructions if you can or save this to a Notepad file on desktop
I'll need you to restart into safe mode and stay disconnected from the Internet

NEXT:
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad, click FILE>>SAVE AS
Important>>Change the Save as Type to All Files.
Name the file as fix.reg
Don't run this yet

Quote

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SMDEn][-[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths]

Download Pocket Killbox from here:
http://www.downloads.subratam.org/KillBox.zip
Unzip the files to the folder of your choice.
Double-click on Killbox.exe to run it

click on Tools->Delete Temp Files

When that finishes, copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those in a minute:

C:\WINDOWS\SYSTEM32\en68l1~1.dll

C:\WINDOWS\SYSTEM32\f0l02a~1.dll

C:\WINDOWS\SYSTEM32\f2l00c~1.dll

C:\WINDOWS\SYSTEM32\f4j20e~1.dll

C:\WINDOWS\SYSTEM32\fn0021~1.dll

C:\WINDOWS\SYSTEM32\fpr003~1.dll

C:\WINDOWS\SYSTEM32\gp82l3~1.dll

C:\WINDOWS\SYSTEM32\gpl2l3~1.dll

C:\WINDOWS\SYSTEM32\i2240c~1.dll

C:\WINDOWS\SYSTEM32\ibrop.dll

C:\WINDOWS\SYSTEM32\j40s0e~1.dll

C:\WINDOWS\SYSTEM32\jtn807~1.dll

C:\WINDOWS\SYSTEM32\lv8o09~1.dll

C:\WINDOWS\SYSTEM32\m6po0g~1.dll

C:\WINDOWS\SYSTEM32\n22ulc~1.dll

C:\WINDOWS\SYSTEM32\n26qlc~1.dll

C:\WINDOWS\SYSTEM32\n4r2le~1.dll

C:\WINDOWS\SYSTEM32\o8pqli~1.dll

C:\WINDOWS\SYSTEM32\t0r80a~1.dll

C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS

C:\WINDOWS\System32\guard.tmp

For the files that it either couldn't find or couldn't delete, run killbox again, but this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No" until after you've pasted the last file name, at which time you should answer "Yes".

Try at this time to Restart your Computer into Safe mode, you can do this by tapping the F8 key on your keyboard as the system is Rebooting

right click the Start button and left click Explorer
Navigate to this folder
C:\WINDOWS\SYSTEM32
Highlight to Open it and sort the files by date created
Click on View in the Menu bar and choose Details
View>>Choose Details>>>Check Date Created

This hijacker has a way of changing and adding files
Look for dll files and guard.tmp with approximate date and size that have to be removed
As examples in your DLLcompare log such as these sizes and dates

C:\WINDOWS\SYSTEM32\n22ulc~1.dll Mon 13 Dec 2004 10:28:04 ..S.R 225.424 220,14 K
C:\WINDOWS\SYSTEM32\t0r80a~1.dll Mon 13 Dec 2004 11:25:52 ..S.R 224.241 218,98 K

Also try and find these files and delete them if they exist
bxfhzm.exe Do a search for this one, possibly in your System 32 folder
C:\WINDOWS\Downloaded Program Files\ieloader.exe <--file
C:\Documents and Settings\Jacqueline\Dados de aplicativos\tets.exe <--file

Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [Windows Compliant] bxfhzm.exe

O4 - HKLM\..\Run: [FX] C:\WINDOWS\Downloaded Program Files\ieloader.exe

O4 - HKCU\..\Run: [Slta] C:\Documents and Settings\Jacqueline\Dados de aplicativos\tets.exe
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Double click on fix.reg and let it Merge to the registry

Again, stay in safe mode
Open Adware and run a Full System Scan
When the scan is complete Remove All critical objects

Open VX2 Finder and "Click to Find VX2.Betterinternet"
Click "Click To find Find VX2.Abetterinternet" button.
Select all the files found.
Click the 'Delete These Files' button

The program will delete all files but one that will be deleted on reboot.
Allow program to reboot.

If no files are found click on any of these highlighted on the right hand side
Click 'Guardian.reg'.
Click 'User Agent'.
Click 'Restore Policy'.

If files were found you will have to do this after you restart and then restart your machine one more time

Back in Windows open up Hoster and allow it to create a new Host file
Press the "Restore Original Hosts"

Post back here a Fresh hijackthis log, Dll Compare log and Findit.bat log

Guy · « **Reply #10 on:** December 16, 2004, 10:09:12 AM »

Thank you once again so much for your help. I have done everything you asked and here are copies of the results.

Logfile of HijackThis v1.98.2
Scan saved at 11:00:28, on 16/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\VIAudioi\SBADeck\ADeck.exe
C:\Arquivos de programas\iGv6\Discador iG.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Arquivos de programas\DIGStream\digstream.exe
C:\Arquivos de programas\Java\j2re1.4.2_06\bin\jusched.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\ARQUIV~1\iGv6\sysbrand.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe
C:\Arquivos de programas\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veloxzone.com.br/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
O4 - HKLM\..\Run: [AudioDeck] C:\Arquivos de programas\VIAudioi\SBADeck\ADeck.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Discador iG] "C:\Arquivos de programas\iGv6\Discador iG.exe" boot
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [DIGStream] C:\Arquivos de programas\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Arquivos de programas\Creative\Video Blaster WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SysBrand] "C:\ARQUIV~1\iGv6\sysbrand.exe"
O4 - HKCU\..\Run: [Worms2.exe] C:\DOCUME~1\JACQUE~1\Desktop\Jogos\Worms2.exe /r
O4 - HKCU\..\Run: [Slta] C:\Documents and Settings\Jacqueline\Dados de aplicativos\tets.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra button: Barra do iG - {FD1672E0-AE0D-465B-B345-F7B0944A121D} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)
O12 - Plugin for .pdf: C:\Arquivos de programas\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_4us.cab

* DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\ael.dll Tue 14 Dec 2004 11:28:14 ..S.R 225.046 219,77 K
C:\WINDOWS\SYSTEM32\ennul1~1.dll Wed 15 Dec 2004 7:18:32 ..S.R 224.203 218,95 K
C:\WINDOWS\SYSTEM32\fp6203~1.dll Wed 15 Dec 2004 18:25:52 ..S.R 223.537 218,30 K
C:\WINDOWS\SYSTEM32\fp6403~1.dll Wed 15 Dec 2004 19:51:02 ..S.R 223.325 218,09 K
C:\WINDOWS\SYSTEM32\k2lqlc~1.dll Tue 14 Dec 2004 15:42:08 ..S.R 223.383 218,14 K
C:\WINDOWS\SYSTEM32\kt06l7~1.dll Thu 16 Dec 2004 10:49:34 ..S.R 226.182 220,88 K
C:\WINDOWS\SYSTEM32\ktjsl7~1.dll Wed 15 Dec 2004 19:55:12 ..S.R 224.579 219,31 K
C:\WINDOWS\SYSTEM32\mvj4l9~1.dll Thu 16 Dec 2004 8:35:56 ..S.R 225.915 220,62 K
C:\WINDOWS\SYSTEM32\o6pqlg~1.dll Thu 16 Dec 2004 10:56:34 ..S.R 224.575 219,31 K
C:\WINDOWS\SYSTEM32\shdocpe.dll Mon 6 Dec 2004 17:30:26 ..SHR 30.208 29,50 K
C:\WINDOWS\SYSTEM32\vswhp.dll Thu 16 Dec 2004 10:57:38 ..S.R 226.182 220,88 K
________________________________________________

1.278 items found: 1.278 files (11 H/S), 0 directories.
Total of file sizes: 238.630.606 bytes 227,57 M

Administrator Account = True

--------------------End log---------------------
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

O volume na unidade C nÆo tem nome.
O n£mero de s‚rie do volume ‚ 90C4-AC26

Pasta de C:\WINDOWS\System32

16/12/2004 10:57 226.182 vsWHP.dll
16/12/2004 10:56 224.575 o6pqlg7516.dll
16/12/2004 10:49 226.182 kt06l7ds1.dll
16/12/2004 08:35 225.915 mvj4l91q1.dll
15/12/2004 19:55 224.579 ktjsl7171.dll
15/12/2004 19:51 223.325 fp6403jqe.dll
15/12/2004 18:25 223.537 fp6203joe.dll
15/12/2004 07:18 224.203 ennul1591.dll
14/12/2004 15:42 223.383 k2lqlc351f.dll
14/12/2004 11:28 225.046 ael.dll
13/12/2004 17:28 <DIR> dllcache
06/12/2004 17:30 30.208 shdocpe.dll
11 arquivo(s) 2.277.135 bytes
1 pasta(s) 30.587.428.864 bytes dispon¡veis

------- Hidden Files in System32 Directory -------

O volume na unidade C nÆo tem nome.
O n£mero de s‚rie do volume ‚ 90C4-AC26

Pasta de C:\WINDOWS\System32

13/12/2004 17:28 <DIR> dllcache
06/12/2004 17:30 30.208 shdocpe.dll
06/11/2004 15:29 488 WindowsLogon.manifest
06/11/2004 15:29 488 logonui.exe.manifest
06/11/2004 15:29 749 sapi.cpl.manifest
06/11/2004 15:29 749 nwc.cpl.manifest
06/11/2004 15:29 749 cdplayer.exe.manifest
06/11/2004 15:29 749 wuaucpl.cpl.manifest
06/11/2004 15:29 749 ncpa.cpl.manifest
8 arquivo(s) 34.929 bytes
1 pasta(s) 30.587.428.864 bytes dispon¡veis

---------- Files Named "Guard" -------------

O volume na unidade C nÆo tem nome.
O n£mero de s‚rie do volume ‚ 90C4-AC26

Pasta de C:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

O volume na unidade C nÆo tem nome.
O n£mero de s‚rie do volume ‚ 90C4-AC26

Pasta de C:\WINDOWS\System32

28/10/2001 15:06 2.969 CONFIG.TMP
1 arquivo(s) 2.969 bytes
0 pasta(s) 30.587.424.768 bytes dispon¡veis

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{20B2C9A7-ADF8-461F-842B-0941A98B562E}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IPConfTSP]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\kt06l7ds1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

---------------- Xfind Results -----------------

C:\WINDOWS\System32\KT06L7~1.DLL +++ File read error

-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM32\
ael.dll Tue 14 Dec 2004 11:28:14 ..S.R 225.046 219,77 K
cdplay~1.man Sat 6 Nov 2004 15:29:34 A..HR 749 0,73 K
ennul1~1.dll Wed 15 Dec 2004 7:18:32 ..S.R 224.203 218,95 K
fp6203~1.dll Wed 15 Dec 2004 18:25:52 ..S.R 223.537 218,30 K
fp6403~1.dll Wed 15 Dec 2004 19:51:02 ..S.R 223.325 218,09 K
k2lqlc~1.dll Tue 14 Dec 2004 15:42:08 ..S.R 223.383 218,14 K
kt06l7~1.dll Thu 16 Dec 2004 10:49:34 ..S.R 226.182 220,88 K
ktjsl7~1.dll Wed 15 Dec 2004 19:55:12 ..S.R 224.579 219,31 K
logonu~1.man Sat 6 Nov 2004 15:29:40 A..HR 488 0,48 K
mvj4l9~1.dll Thu 16 Dec 2004 8:35:56 ..S.R 225.915 220,62 K
ncpacp~1.man Sat 6 Nov 2004 15:29:34 A..HR 749 0,73 K
nwccpl~1.man Sat 6 Nov 2004 15:29:34 A..HR 749 0,73 K
o6pqlg~1.dll Thu 16 Dec 2004 10:56:34 ..S.R 224.575 219,31 K
sapicp~1.man Sat 6 Nov 2004 15:29:34 A..HR 749 0,73 K
shdocpe.dll Mon 6 Dec 2004 17:30:26 ..SHR 30.208 29,50 K
vswhp.dll Thu 16 Dec 2004 10:57:38 ..S.R 226.182 220,88 K
window~1.man Sat 6 Nov 2004 15:29:40 A..HR 488 0,48 K
wuaucp~1.man Sat 6 Nov 2004 15:29:34 A..HR 749 0,73 K

18 items found: 18 files, 0 directories.
Total of file sizes: 2.281.856 bytes 2,18 M

I hope this is all right!!!

TheTechGuide Forum

News:

Author Topic: Changed home page (Read 4419 times)

Guy

Changed home page

guestolo

Changed home page

Guy

Changed home page

guestolo

Changed home page

Guy

Changed home page

guestolo

Changed home page

Guy

Changed home page

guestolo

Changed home page

Guy

Changed home page

guestolo

Changed home page

Guy

Changed home page