Author Topic: Looks like I have something now (Read 607 times)

Mr Bell · « **on:** March 01, 2008, 12:15:01 PM »

I was kicked from gamesurge Mirc and it said I had a virus. I did a scan via AVG and it only scans like 52000 files and then quits. It said nothing was infected however it did list this: C:\WINDOWS\system32\drivers\etc\hosts
No clue what that is. When I go to gamesurge this is what it said was the reason....

G-line Query

Checking for a G-line on 'cache-dtc-ac06.proxy.Email Removed' (205.188.116.135)...

Error: Your ISP appears to utilize a web proxy, or cache server. If that is the case, this check may not return a G-line for your host, even if you are still not able to connect to a GameSurge server.

0 G-line found for your host.

Logfile of HijackThis v1.99.1
Scan saved at 12:17:43 PM, on 3/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Common Files\AOL\1126634133\ee\AOLSoftware.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\WINDOWS\system32\mssvcs.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\America Online 9.0\wEmail Removedexe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Documents and Settings\Randy\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eightballclan.branzone.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1126634133\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Microsoft Corporation Svchost Services] mssvcs.exe
O4 - HKLM\..\RunServices: [Microsoft Corporation Svchost Services] mssvcs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Corporation Svchost Services] mssvcs.exe
O4 - HKCU\..\RunServices: [Microsoft Corporation Svchost Services] mssvcs.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.eightballclan.com
O15 - Trusted Zone: *.tpgleague.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F9C9C62-1E47-476F-890B-CE564DB6E779}: NameServer = 65.32.5.74,65.32.5.75
O17 - HKLM\System\CS1\Services\Tcpip\..\{0F9C9C62-1E47-476F-890B-CE564DB6E779}: NameServer = 65.32.5.74,65.32.5.75
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

guestolo · « **Reply #1 on:** March 01, 2008, 12:44:07 PM »

I'm just on my way out the door, I won't be back for a few hours,
in the meantime can you do the following

Download [color=\"red\"]SDFix[/color] and save this to your desktop
We will need it in a bit

Disable Windows Defender protections so they won't interfere with any fixes we try

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

Do a "System scan only" with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [Microsoft Corporation Svchost Services] mssvcs.exe
O4 - HKLM\..\RunServices: [Microsoft Corporation Svchost Services] mssvcs.exe

O4 - HKCU\..\Run: [Microsoft Corporation Svchost Services] mssvcs.exe
O4 - HKCU\..\RunServices: [Microsoft Corporation Svchost Services] mssvcs.exe

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In safe mode

Find and delete this exact file name
C:\WINDOWS\system32\mssvcs.exe <-this file

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Go to START>>My Computer>>Double click to open the C:\ folder

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

Post back the report from SDFix along with a fresh hijackthis log

Mr Bell · « **Reply #2 on:** March 01, 2008, 04:43:00 PM »

Can you offer me any idea on how I got this? Also why didn't AVG detect this? Was it a new virus or have you seen this before?

It appears I never turned on real time protection the last time out. If it is clean do I delete the sdfix.exe and the back up files?

One other thing first: When I did a search in all files; the only one that popped up was mssvcs.exe-2boab485.pf and I placed it in my recycle bin where it still sits.

Anyway operations are complete and here are the logs you requested.

SDFix: Version 1.150

Run by Randy on Sat 03/01/2008 at 04:06 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\regedit.com - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-01 16:21:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Valve\\Steam\\Steam.exe"="C:\\Program Files\\Valve\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\shotcreteman1\\day of defeat\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\shotcreteman1\\day of defeat\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\America Online 9.0a\\wEmail Removedexe"="C:\\Program Files\\America Online 9.0a\\wEmail Removedexe:*:Enabled:America Online 9.0a"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\SIERRA\\Half-Life\\voice_tweak.exe"="C:\\SIERRA\\Half-Life\\voice_tweak.exe:*:Enabled:voice_tweak"
"C:\\Program Files\\Sierra On-Line\\SIGSPat.exe"="C:\\Program Files\\Sierra On-Line\\SIGSPat.exe:*:Enabled:SIGSPat"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\shotcreteman1\\counter-strike\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\shotcreteman1\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\shotcreteman1\\deathmatch classic\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\shotcreteman1\\deathmatch classic\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\shotcreteman1\\dedicated server\\hlds.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\shotcreteman1\\dedicated server\\hlds.exe:*:Enabled:HLDS Launcher"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\shotcreteman1\\team fortress classic\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\shotcreteman1\\team fortress classic\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\shotcreteman1\\half-life\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\shotcreteman1\\half-life\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\shotcreteman1\\dedicated server\\hltv.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\shotcreteman1\\dedicated server\\hltv.exe:*:Enabled:HLTV Launcher"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\shotcreteman1\\condition zero\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\shotcreteman1\\condition zero\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\shotcreteman1\\counter-strike source\\hl2.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\shotcreteman1\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Disabled:Logitech Desktop Messenger"
"C:\\Program Files\\FileZilla\\FileZilla.exe"="C:\\Program Files\\FileZilla\\FileZilla.exe:*:Enabled:FileZilla"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Kazaa\\kazaa.exe"="C:\\Program Files\\Kazaa\\kazaa.exe:*:Disabled:Kazaa"
"C:\\Program Files\\Sierra On-Line\\Valve\\Steam\\Steam.exe"="C:\\Program Files\\Sierra On-Line\\Valve\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1126634133\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1126634133\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\shotcreteman1\\day of defeat source\\hl2.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\shotcreteman1\\day of defeat source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\shotcreteman1\\lostcoast\\hl2.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\shotcreteman1\\lostcoast\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\shotcreteman1\\half-life 2\\hl2.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\shotcreteman1\\half-life 2\\hl2.exe:*:Enabled:hl2"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Disabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Disabled:LimeWire"
"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_server.exe"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_server.exe:*:Enabled:Musicmatch Music Server"
"C:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"="C:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe:*:Enabled:TmNationsESWC"
"C:\\Program Files\\HLSW\\hlsw.exe"="C:\\Program Files\\HLSW\\hlsw.exe:*:Enabled:HLSW"
"C:\\Program Files\\Sierra On-Line\\Valve\\Steam\\SteamApps\\shotcreteman1\\day of defeat\\hl.exe"="C:\\Program Files\\Sierra On-Line\\Valve\\Steam\\SteamApps\\shotcreteman1\\day of defeat\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Valve\\Steam\\steamapps\\majorgman\\day of defeat\\hl.exe"="C:\\Program Files\\Valve\\Steam\\steamapps\\majorgman\\day of defeat\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\VentSrv\\ventrilo_srv.exe"="C:\\Program Files\\VentSrv\\ventrilo_srv.exe:*:Enabled:ventrilo_srv"
"C:\\Documents and Settings\\Randy\\DoctorWeb\\Quarantine\\mirc.exe"="C:\\Documents and Settings\\Randy\\DoctorWeb\\Quarantine\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\wEmail Removedexe"="C:\\Program Files\\America Online 9.0\\wEmail Removedexe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Electronic Arts\\Battlefield 2142 Demo\\BF2142.exe"="C:\\Program Files\\Electronic Arts\\Battlefield 2142 Demo\\BF2142.exe:*:Enabled:Battlefield 2"
"C:\\Program Files\\GameSpy\\Comrade\\Comrade.exe"="C:\\Program Files\\GameSpy\\Comrade\\Comrade.exe:*:Enabled:Comrade"
"C:\\Program Files\\Common Files\\AOL\\1126634133\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1126634133\\ee\\aolsoftware.exe:*:Enabled:AOL Shared Components"
"C:\\Program Files\\ABIT\\FlashMenu\\FlashMenu.exe"="C:\\Program Files\\ABIT\\FlashMenu\\FlashMenu.exe:*:Enabled:ABIT FlashMenu Application"
"C:\\Program Files\\U-ABIT\\FlashMenu\\flashmenu.exe"="C:\\Program Files\\U-ABIT\\FlashMenu\\flashmenu.exe:*:Enabled:FlashMenu Application"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\system32\\java.exe"="C:\\WINDOWS\\system32\\java.exe:*:Enabled:Java(tm) Platform SE binary"
"C:\\Program Files\\Valve\\Steam\\steamapps\\shotcreteman1\\source sdk base\\hl2.exe"="C:\\Program Files\\Valve\\Steam\\steamapps\\shotcreteman1\\source sdk base\\hl2.exe:*:Disabled:hl2"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\Valve\\Steam\\steamapps\\common\\call of duty 4\\iw3mp.exe"="C:\\Program Files\\Valve\\Steam\\steamapps\\common\\call of duty 4\\iw3mp.exe:*:Enabled:iw3mp"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\America Online 9.0a\\wEmail Removedexe"="C:\\Program Files\\America Online 9.0a\\wEmail Removedexe:*:Enabled:America Online 9.0a"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1126634133\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1126634133\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 12 Jul 2005 54,872 A..H. --- "C:\Program Files\America Online 9.0\AOLphx.exe"
Tue 12 Jul 2005 31,832 A..H. --- "C:\Program Files\America Online 9.0\rbm.exe"
Fri 7 May 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0a\aolphx.exe"
Fri 7 May 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0a\aoltray.exe"
Fri 7 May 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0a\RBM.exe"
Wed 13 Jun 2007 377,195 ..SHR --- "C:\WINDOWS\system32\mssvcs.exe"
Fri 17 Mar 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 22 Jan 2007 72 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti580.tmp"
Sun 3 Feb 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"

Finished!

Logfile of HijackThis v1.99.1
Scan saved at 4:52:14 PM, on 3/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Common Files\AOL\1126634133\ee\AOLSoftware.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\America Online 9.0\wEmail Removedexe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Documents and Settings\Randy\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eightballclan.branzone.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1126634133\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.eightballclan.com
O15 - Trusted Zone: *.tpgleague.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F9C9C62-1E47-476F-890B-CE564DB6E779}: NameServer = 65.32.5.74,65.32.5.75
O17 - HKLM\System\CS1\Services\Tcpip\..\{0F9C9C62-1E47-476F-890B-CE564DB6E779}: NameServer = 65.32.5.74,65.32.5.75
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Mr Bell · « **Reply #3 on:** March 01, 2008, 05:09:06 PM »

And btw does this mean my lap top has it also because I was kicked off of mIRC on that also?

guestolo · « **Reply #4 on:** March 02, 2008, 12:28:21 AM »

Quote

Can you offer me any idea on how I got this? Also why didn't AVG detect this? Was it a new virus or have you seen this before?

It could very well be a new file name, I'm not sure about the viral activity of it however

Can you do me a favor and scan the file, the scanner should find it if you do the following

go to this link

http://www.virustotal.com/flash/index_en.html
Copy and paste the next bold line to the Upload a File

C:\WINDOWS\system32\mssvcs.exe

Then use the SEND FILE button
Let it finish scanning
Could you post back the results this scan back here please

NEXT:
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

See then if you can find and delete that file
Afterwards
Reset Windows to Hide hidden files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Do Not Show hidden files and folders.
* Check the Hide protected operating system files (recommended) option.
* Click OK.

Mr Bell · « **Reply #5 on:** March 02, 2008, 05:27:41 AM »

It sure did find it that time.

I had that other file mssvcs.exe-2boab485.pf in the recycle bin so I restored that one since it was'nt the exact match we were looking for. Is that OK?

C:\WINDOWS\system32\mssvcs.exe appeared to be picture that might have been recieved from image shack. I download from that site the following; demos and screen shots from players if they are disputed in a match.

What do you reccomend I use to scan them first before I open and look at them.

guestolo · « **Reply #6 on:** March 02, 2008, 10:43:24 AM »

Quote

I had that other file mssvcs.exe-2boab485.pf in the recycle bin so I restored that one since it was'nt the exact match we were looking for. Is that OK?

No, you should go back and delete that file

Well, I got no idea what infection the file is related too
or how many scanners were up to date on it

You didn't post the results from Virustotal

Concerning your laptop, do you want to post a hijackthis log from it?

Mr Bell · « **Reply #7 on:** March 02, 2008, 11:47:41 AM »

File Photo16-2008.JPG-www.imageshack.s received on 03.01.2008 18:36:15 (CET)Antivirus Version Last Update Result
AhnLab-V3 2008.2.29.1 2008.02.29 -
AntiVir 7.6.0.73 2008.02.29 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2008.03.01 -
Avast 4.7.1098.0 2008.03.01 -
AVG 7.5.0.516 2008.02.29 -
BitDefender 7.2 2008.03.01 Packer.PrivateExeProtector.A
CAT-QuickHeal 9.50 2008.03.01 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.03.01 -
DrWeb 4.44.0.09170 2008.03.01 -
eSafe 7.0.15.0 2008.02.28 -
eTrust-Vet 31.3.5574 2008.02.29 -
Ewido 4.0 2008.03.01 -
FileAdvisor 1 2008.03.01 -
Fortinet 3.14.0.0 2008.03.01 -
F-Prot 4.4.2.54 2008.02.29 -
F-Secure 6.70.13260.0 2008.03.01 Suspicious:W32/Malware!Gemini
Ikarus T3.1.1.20 2008.03.01 Trojan-PWS.Win32.Lmir.AGP
Kaspersky 7.0.0.125 2008.03.01 -
McAfee 5242 2008.02.29 New Malware.bl
Microsoft 1.3301 2008.03.01 -
NOD32v2 2913 2008.03.01 Win32/Rbot
Norman 5.80.02 2008.02.29 -
Panda 9.0.0.4 2008.03.01 Suspicious file
Rising 20.33.52.00 2008.03.01 -
Sophos 4.27.0 2008.03.01 Sus/UnkPacker
Sunbelt 3.0.906.0 2008.02.28 VIPRE.Suspicious
Symantec 10 2008.03.01 -
TheHacker 6.2.9.229 2008.02.25 -
VBA32 3.12.6.2 2008.02.27 -
VirusBuster 4.3.26:9 2008.02.29 -
Webwasher-Gateway 6.6.2 2008.03.01 Trojan.Crypt.XPACK.Gen

Additional information
File size: 377195 bytes
MD5: fd452d152203831ce0e57d07976f22ab
SHA1: abe691e2038b1df89329fb597bf7b9024250392c
PEiD: -
packers: PEP

guestolo · « **Reply #8 on:** March 02, 2008, 12:27:14 PM »

Thanks for the info
Seems as if quite a few scanners aren't updated to this signature yet

This should change since you uploaded the file to virustotal
New trojans and viruses are popping up all the time

Then next time you encounter a file like this, Avast and others may be up to date on it
and not others
It is still best to save a file to harddisk then right click on it and scan with Avast before opening

Also a good idea to keep file extensions shown, you may not know if it's an .exe otherwise

How are things running?
You should ensure you reenable Windows Defender's protections if still disabled

Mr Bell · « **Reply #9 on:** March 02, 2008, 03:15:14 PM »

Things are running much better thank you. You are wonderful and appreciated greatly.

guestolo · « **Reply #10 on:** March 02, 2008, 03:23:08 PM »

What about the laptop, do you want to double check it with a Hijackthis log?

Brenneka · « **Reply #11 on:** March 02, 2008, 03:41:03 PM »

Wow thank you so much!
Even though I haven't done any of the instructions that's given here, I'm happy that I found someone who can actually help me with this issue.
So, I got the same thing, I can follow the same instructions but I have some doubts about this:
(1) The second file of mine ( C:\WINDOWS\system32\mssvc.exe ) is shown with an image icon and the other one ( same path, mssvcs.exe ) is shown with a media icon like Windows Media Player's icons. See image http://img523.imageshack.us/img523/4454/msssmz8.jpg
(2) I have the same problem as Mr_bell's got but with a little "addition", when windows starts 3 "error" messages pops up (2 with an image icon and 1 with a media icon). See image http://img262.imageshack.us/img262/2107/fckbawk9.jpg

Shall I simply follow the same instructions given before?
Thanks in advance!!! I can't belive I really found someone who solved this matter up

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #12 on:** March 02, 2008, 03:51:49 PM »

Hi Brenneka
Can you start your own topic please in this forum
and post your own hijackthis log
Here's the instructions
Download Hijackthis Installer from [color=\"#FF0000\"]HERE[/color]
For an alternate download location, you can try HERE
SAVE it to your desktop
Double click on HJTInstall.exe to run it
Choose Install

Hijackthis v2.0.2 will open

Under Main Menu, Select
Do a system scan and save a Log file
A log will open in Notepad
Copy and Paste the Whole log back here to the forum

Remember, to start your own topic, don't reply back to this thread with the log
It's too confusing that way

TheTechGuide Forum

News:

Author Topic: Looks like I have something now (Read 607 times)

Mr Bell

Looks like I have something now

guestolo

Looks like I have something now

Mr Bell

Looks like I have something now

Mr Bell

Looks like I have something now

guestolo

Looks like I have something now

Mr Bell

Looks like I have something now

guestolo

Looks like I have something now

Mr Bell

Looks like I have something now

guestolo

Looks like I have something now

Mr Bell

Looks like I have something now

guestolo

Looks like I have something now

Brenneka

Looks like I have something now

guestolo

Looks like I have something now