TechSpot

Help removing virus on drivers ending with netbt.sys & cdrom.sys

Solved
By Windex
Nov 11, 2011
  1. After removing threats using AVG, I was promtped to restart for changes to take effect. Then came the blue screen on my Dell inspiron 1501. 1501 and I went into Staples to get a diagnostic and make sure there were no physical problems. it came out clean physically.

    I still cannot boot normally. When I do boot, I have to go through the boot screen pressing F8 and "Enable boot logging" to get the system to operate. Steps I have taken to resolve this issue.....Updated and.Ran AVG Virus Scan....Ran Malware Bytes....Logs have shown that I have two threats (listed in subject) that are "white listed" and cannot be removed due to their attachment to critical system files.

    All data has been backed up and I can even restore the OS if necessary. Please help.

    Thanks
    Windex
  2. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
  3. Windex

    Windex TS Rookie Topic Starter Posts: 45

    Logs , sorry for the delay.

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8140

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    11/14/2011 6:57:33 PM
    mbam-log-2011-11-14 (18-57-33).txt

    Scan type: Quick scan
    Objects scanned: 51003
    Time elapsed: 14 minute(s), 33 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    _____________

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-11-14 22:24:51
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3 Hitachi_HTS541680J9SA00 rev.SB2OC74P
    Running: GMER.exe; Driver: C:\DOCUME~1\Michael\LOCALS~1\Temp\kglcakob.sys


    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\SearchIndexer.exe[192] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1757981266-73586283-1801674531-1004@RefCount 61

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\$NtUninstallKB42967$\2303012498 0 bytes
    File C:\WINDOWS\$NtUninstallKB42967$\2303012498\@ 2048 bytes
    File C:\WINDOWS\$NtUninstallKB42967$\2303012498\bckfg.tmp 847 bytes
    File C:\WINDOWS\$NtUninstallKB42967$\2303012498\cfg.ini 366 bytes
    File C:\WINDOWS\$NtUninstallKB42967$\2303012498\Desktop.ini 4608 bytes
    File C:\WINDOWS\$NtUninstallKB42967$\2303012498\keywords 0 bytes
    File C:\WINDOWS\$NtUninstallKB42967$\2303012498\kwrd.dll 223744 bytes
    File C:\WINDOWS\$NtUninstallKB42967$\2303012498\L 0 bytes
    File C:\WINDOWS\$NtUninstallKB42967$\2303012498\L\exeuavms 162816 bytes
    File C:\WINDOWS\$NtUninstallKB42967$\2303012498\lsflt7.ver 5176 bytes
    File C:\WINDOWS\$NtUninstallKB42967$\2303012498\U 0 bytes
    File C:\WINDOWS\$NtUninstallKB42967$\2303012498\U\00000001.@ 2048 bytes
    File C:\WINDOWS\$NtUninstallKB42967$\2303012498\U\00000002.@ 224768 bytes
    File C:\WINDOWS\$NtUninstallKB42967$\2303012498\U\00000004.@ 1024 bytes
    File C:\WINDOWS\$NtUninstallKB42967$\2303012498\U\80000000.@ 1024 bytes
    File C:\WINDOWS\$NtUninstallKB42967$\2303012498\U\80000004.@ 12800 bytes
    File C:\WINDOWS\$NtUninstallKB42967$\2303012498\U\80000032.@ 96256 bytes
    File C:\WINDOWS\$NtUninstallKB42967$\2328178969 0 bytes
    File C:\WINDOWS\$NtUninstallKB22568$\2303012498 0 bytes
    File C:\WINDOWS\$NtUninstallKB22568$\2303012498\L 0 bytes
    File C:\WINDOWS\$NtUninstallKB22568$\2303012498\U 0 bytes
    File C:\WINDOWS\$NtUninstallKB22568$\61065199 0 bytes

    ---- EOF - GMER 1.0.15 ----

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Michael at 22:26:44 on 2011-11-14
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.509 [GMT -8:00]
    .
    FW: AVG Firewall *Disabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Documents and Settings\Michael\Desktop\LeapFrog Connect\CommandService.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\system32\rpcnet.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\stsystra.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Documents and Settings\Michael\Desktop\LeapFrog Connect\Monitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\WINDOWS\system32\wscntfy.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uDefault_Page_URL = hxxp://www.msn.com
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    {e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
    mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
    mRun: [EverioService] "c:\program files\cyberlink\pcm4everio\EverioService.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRun: [Monitor] "c:\documents and settings\michael\desktop\leapfrog connect\Monitor.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
    dPolicies-system: DisableTaskMgr = 1 (0x1)
    IE: &Search - http://tbedits.mywebsearch.com/one-...JUS&si=&a=xSNQ2VBJBNmv7Nyn8kTXOA&n=2010040518
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    LSP: mswsock.dll
    Trusted Zone: secureserver.net\email17
    Trusted Zone: ucla.edu\remote.mednet
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
    DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://myportfolio.brownshoe.com/vdesk/terminal/f5tunsrv.cab#version=6030,2009,811,2213
    DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - c:\docume~1\michael\locals~1\temp\ixp000.tmp\InstallerControl.cab
    DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} - hxxps://remote.mednet.ucla.edu/vdesk/terminal/f5InspectionHost.cab#version=6031,2009,1204,1603
    DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://download-games.pogo.com/online2/pogo/diner_dash_2/DinerDash2.1.0.0.53.cab
    DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} - hxxps://myportfolio.brownshoe.com/vdesk/terminal/vdeskctrl.cab#version=6030,2009,0824,2130
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://download-games.pogo.com/online2/pogo/diner_dash_flo_on_the_go/ddfotg.1.0.0.33.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - hxxps://myportfolio.brownshoe.com/vdesk/terminal/urxshost.cab#version=6030,2009,828,1610
    DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://myportfolio.brownshoe.com/vdesk/terminal/urxhost.cab#version=6030,2009,828,1606
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 192.168.1.1 68.238.64.12
    TCP: Interfaces\{E34FBB4B-F263-4BFA-A464-0E2CC4EAF107} : DhcpNameServer = 192.168.1.1 68.238.64.12
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: necusb - nwusbw32.dll
    Notify: nwusbw32 - nwusbw32.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2009-11-18 3456]
    S2 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe --> c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe [?]
    S2 necusb;NEC USB Device Service;c:\windows\system32\svchost.exe -k necusb3 [2004-8-12 14336]
    S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2011-1-13 18560]
    S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
    .
    =============== Created Last 30 ================
    .
    2011-11-12 21:15:54 -------- d-----w- c:\documents and settings\michael\application data\Windows Search
    2011-11-11 17:11:22 37888 ----a-w- c:\windows\system32\nwusbw32.dll
    2011-11-11 08:26:52 -------- d-----w- c:\documents and settings\michael\application data\AVG
    2011-11-11 07:50:37 -------- d-----w- c:\windows\MATS
    2011-11-11 07:50:28 -------- d-----w- c:\program files\Microsoft Fix it Center
    2011-11-11 07:40:36 -------- d-----w- c:\documents and settings\michael\application data\ElevatedDiagnostics
    2011-11-11 07:26:37 1043 ----a-w- c:\windows\system32\0.2827484657236714.exe
    2011-11-11 06:51:43 -------- d-----w- c:\documents and settings\michael\application data\AVG2012
    2011-11-11 06:48:39 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
    2011-11-10 23:44:24 58288 ----a-w- c:\windows\system32\rpcnet.dll
    2011-11-10 23:44:24 58288 ------w- c:\windows\system32\rpcnet.exe
    2011-11-10 13:11:39 16896 ----a-w- c:\windows\system32\Rpcnetp.exe
    2011-10-20 06:00:15 -------- d-----w- C:\8B3A3
    2011-10-20 05:59:56 -------- d-----w- c:\program files\LP
    2011-10-20 04:37:01 -------- d-----w- C:\Adobe
    .
    ==================== Find3M ====================
    .
    2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 18:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 18:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 18:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-09-01 01:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-08-22 23:48:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
    2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    .
    ============= FINISH: 22:27:10.75 ===============
  4. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Go on............
  5. Windex

    Windex TS Rookie Topic Starter Posts: 45

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 11/18/2009 8:50:06 PM
    System Uptime: 11/14/2011 9:14:56 PM (1 hours ago)
    .
    Motherboard: Dell Inc. | | 0UW744
    Processor: AMD Turion(tm) 64 X2 Mobile Technology TL-50 | Socket M2/S1G1 | 1596/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 75 GiB total, 24.593 GiB free.
    H: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Dell Wireless 1390 WLAN Mini-Card
    Device ID: PCI\VEN_14E4&DEV_4311&SUBSYS_00071028&REV_01\4&2EA2911C&0&0030
    Manufacturer: Broadcom
    Name: Dell Wireless 1390 WLAN Mini-Card
    PNP Device ID: PCI\VEN_14E4&DEV_4311&SUBSYS_00071028&REV_01\4&2EA2911C&0&0030
    Service: BCM43XX
    .
    Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
    Description: CD-ROM Drive
    Device ID: USBSTOR\CDROM&VEN_SANDISK&PROD_U3_CRUZER_MICRO&REV_2.15\0000060425022728&1
    Manufacturer: (Standard CD-ROM drives)
    Name: SanDisk U3 Cruzer Micro USB Device
    PNP Device ID: USBSTOR\CDROM&VEN_SANDISK&PROD_U3_CRUZER_MICRO&REV_2.15\0000060425022728&1
    Service: cdrom
    .
    Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
    Description: CD-ROM Drive
    Device ID: IDE\CDROMHL-DT-ST_DVD+-RW_GSA-T11N_______________A102____\304B364153413246333020342020202020202020
    Manufacturer: (Standard CD-ROM drives)
    Name: HL-DT-ST DVD+-RW GSA-T11N
    PNP Device ID: IDE\CDROMHL-DT-ST_DVD+-RW_GSA-T11N_______________A102____\304B364153413246333020342020202020202020
    Service: cdrom
    .
    ==== System Restore Points ===================
    .
    RP289: 11/10/2011 10:46:01 PM - Installed AVG 2012
    RP290: 11/10/2011 10:46:23 PM - Removed AVG 2012
    RP291: 11/10/2011 10:47:33 PM - Installed AVG 2012
    RP292: 11/10/2011 11:05:14 PM - Removed AVG 2011
    RP293: 11/10/2011 11:36:37 PM - Installed %1 %2.
    RP294: 11/11/2011 3:00:43 AM - Software Distribution Service 3.0
    RP295: 11/12/2011 3:28:30 AM - System Checkpoint
    RP296: 11/12/2011 1:00:11 PM - Software Distribution Service 3.0
    RP297: 11/14/2011 8:19:20 PM - Removed AVG 2012
    RP298: 11/14/2011 8:20:46 PM - Removed AVG 2012
    .
    ==== Installed Programs ======================
    .
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader X (10.1.0)
    AMD Processor Driver
    Apple Software Update
    ATI - Software Uninstall Utility
    ATI Catalyst Control Center
    ATI Display Driver
    Broadcom 440x 10/100 Integrated Controller
    Camera Driver
    Canon Camera Access Library
    Canon Camera Support Core Library
    Canon Camera WIA Driver
    Canon Camera Window DC_DV 5 for ZoomBrowser EX
    Canon Camera Window DC_DV 6 for ZoomBrowser EX
    Canon Camera Window MC 6 for ZoomBrowser EX
    Canon EOS-1D Mark II N WIA Driver
    Canon EOS-1Ds Mark II WIA Driver
    Canon EOS 5D WIA Driver
    Canon EOS Kiss_N REBEL_XT 350D WIA Driver
    Canon RAW Image Task for ZoomBrowser EX
    Canon RemoteCapture Task for ZoomBrowser EX
    Canon Utilities Digital Photo Professional 2.1
    Canon Utilities EOS Utility
    Canon Utilities PhotoStitch
    Canon Utilities ZoomBrowser EX
    Coby Media Manager
    Compatibility Pack for the 2007 Office system
    Conexant HDA D110 MDC V.92 Modem
    Dell Resource CD
    Dell Wireless WLAN Card
    Digital Photo Navigator 1.5
    Fritz Grandmaster Challenge
    HOTLLAMA Media Player
    HOTLLAMA Media Player - Update
    Internet Explorer (Enable DEP)
    Java Auto Updater
    Java(TM) 6 Update 18
    LeapFrog Connect
    LeapFrog Tag Junior Plugin
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2572067)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0
    Microsoft Application Error Reporting
    Microsoft Automated Troubleshooting Services Shim
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Fix it Center
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office File Validation Add-In
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office SharePoint Designer 2007
    Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)
    Microsoft Office SharePoint Designer MUI (English) 2007
    Microsoft Office Small Business Edition 2003
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    MSN
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    OPSWAT AntiVirus and Firewall Integration Libraries
    PowerCinema NE for Everio
    PowerDirector Express
    PowerProducer
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2553089)
    Security Update for 2007 Microsoft Office System (KB2553090)
    Security Update for 2007 Microsoft Office System (KB2584063)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB923789)
    SigmaTel Audio
    Sonic DLA
    Sonic RecordNow!
    Sonic Update Manager
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Sharepoint Designer 2007 Help (KB963675)
    Update for Windows Internet Explorer 8 (KB2447568)
    Update for Windows Internet Explorer 8 (KB975364)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2641690)
    Use the entry named LeapFrog Connect to uninstall (LeapFrog Tag Junior Plugin)
    WebFldrs XP
    Windows Driver Package - LeapFrog (FlyUsb) USB (11/05/2008 1.1.1.0)
    Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net (09/10/2009 02.03.05.012)
    Windows Driver Package - Ricoh Company Memorystick Host Controller (07/09/2005 1.00.01.12)
    Windows Driver Package - Ricoh Company MMC Host Controller (07/14/2005 1.00.00.06)
    Windows Driver Package - Ricoh Company xD-Picture Card/SmartMedia Host Controller (07/14/2005 1.00.02.04)
    Windows Essentials Media Codec Pack 3.5 [32-Bit]
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    WModem Driver Installer
    .
    ==== Event Viewer Messages From Past Week ========
    .
    11/14/2011 9:34:20 PM, error: AmdK8 [2] - The Acpi 2.0 _PCT object returned an invalid value of 3
    11/14/2011 9:32:06 PM, error: Service Control Manager [7023] - The NEC USB Device Service service terminated with the following error: The specified module could not be found.
    11/14/2011 9:25:55 PM, error: atapi [9] - The device, \Device\Ide\IdePort2, did not respond within the timeout period.
    11/14/2011 9:15:32 PM, error: Service Control Manager [7023] - The Help and Support service terminated with the following error: The specified module could not be found.
    11/14/2011 9:15:32 PM, error: Service Control Manager [7003] - The TCP/IP NetBIOS Helper service depends on the following nonexistent service: NetBT
    11/14/2011 9:15:32 PM, error: Service Control Manager [7003] - The DHCP Client service depends on the following nonexistent service: NetBT
    11/14/2011 9:15:32 PM, error: Service Control Manager [7000] - The My Web Search Service service failed to start due to the following error: The system cannot find the path specified.
    11/14/2011 8:21:01 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the NEC USB Device Service service to connect.
    11/14/2011 8:21:01 PM, error: Service Control Manager [7000] - The NEC USB Device Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    .
  6. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan:
    [​IMG]

    On completion of the scan click "Save log", save it to your desktop and post in your next reply:
    [​IMG]

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ============================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  7. Windex

    Windex TS Rookie Topic Starter Posts: 45

    Running ComboFix and a message from the Registry Editor states "Cannot export C:\Qoobox\Quarantine\Registry_backups\Notify-box.reg.dat: Error opening the file.There may be a disk or file system error.

    I Clicked OK and the scan completed and log displayed. Is that how its supposed to happen?
  8. Windex

    Windex TS Rookie Topic Starter Posts: 45

    aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
    Run date: 2011-11-22 13:03:01
    -----------------------------
    13:03:01.796 OS Version: Windows 5.1.2600 Service Pack 3
    13:03:01.796 Number of processors: 2 586 0x4802
    13:03:01.796 ComputerName: 2B015DF5D9E843D UserName: Michael
    13:03:02.187 Initialize success
    13:03:15.796 AVAST engine download error: 0
    13:03:17.953 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3
    13:03:17.953 Disk 0 Vendor: Hitachi_HTS541680J9SA00 SB2OC74P Size: 76319MB BusType: 3
    13:03:19.968 Disk 0 MBR read successfully
    13:03:19.968 Disk 0 MBR scan
    13:03:19.968 Disk 0 Windows XP default MBR code
    13:03:19.968 Disk 0 scanning sectors +156280320
    13:03:20.031 Disk 0 scanning C:\WINDOWS\system32\drivers
    13:03:25.640 Service scanning
    13:03:27.156 Modules scanning
    13:03:32.734 Disk 0 trace - called modules:
    13:03:32.734 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll atiide.sys PCIIDEX.SYS
    13:03:32.734 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84b74ab8]
    13:03:32.734 3 CLASSPNP.SYS[f7512fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-3[0x84b24d98]
    13:03:32.734 Scan finished successfully
    13:04:13.265 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Michael\Desktop\MBR.dat"
    13:04:13.265 The log file has been saved successfully to "C:\Documents and Settings\Michael\Desktop\aswMBR.txt"


    ComboFix 11-11-22.01 - Michael 11/22/2011 14:06:48.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.616 [GMT -8:00]
    Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe
    FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\Michael\Application Data\Adobe\plugs
    c:\documents and settings\Michael\Application Data\Adobe\shed
    C:\install.exe
    c:\program files\LP
    c:\windows\$NtUninstallKB22568$
    c:\windows\$NtUninstallKB22568$\61065199
    c:\windows\$NtUninstallKB42967$
    c:\windows\$NtUninstallKB42967$\2303012498\@
    c:\windows\$NtUninstallKB42967$\2303012498\bckfg.tmp
    c:\windows\$NtUninstallKB42967$\2303012498\cfg.ini
    c:\windows\$NtUninstallKB42967$\2303012498\Desktop.ini
    c:\windows\$NtUninstallKB42967$\2303012498\keywords
    c:\windows\$NtUninstallKB42967$\2303012498\kwrd.dll
    c:\windows\$NtUninstallKB42967$\2303012498\L\exeuavms
    c:\windows\$NtUninstallKB42967$\2303012498\lsflt7.ver
    c:\windows\$NtUninstallKB42967$\2303012498\U\00000001.@
    c:\windows\$NtUninstallKB42967$\2303012498\U\00000002.@
    c:\windows\$NtUninstallKB42967$\2303012498\U\00000004.@
    c:\windows\$NtUninstallKB42967$\2303012498\U\80000000.@
    c:\windows\$NtUninstallKB42967$\2303012498\U\80000004.@
    c:\windows\$NtUninstallKB42967$\2303012498\U\80000032.@
    c:\windows\$NtUninstallKB42967$\2328178969
    c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53
    c:\windows\system32\0.2827484657236714.exe
    .
    Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\cdrom.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_MYWEBSEARCHSERVICE
    -------\Service_MyWebSearchService
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-10-22 to 2011-11-22 )))))))))))))))))))))))))))))))
    .
    .
    2011-11-12 21:15 . 2011-11-12 21:15 -------- d-----w- c:\documents and settings\Michael\Application Data\Windows Search
    2011-11-11 17:11 . 2011-11-11 17:11 37888 ----a-w- c:\windows\system32\nwusbw32.dll
    2011-11-11 08:26 . 2011-11-11 08:29 -------- d-----w- c:\documents and settings\Michael\Application Data\AVG
    2011-11-11 07:50 . 2011-11-11 07:50 -------- d-----w- c:\windows\MATS
    2011-11-11 07:50 . 2011-11-11 07:50 -------- d-----w- c:\program files\Microsoft Fix it Center
    2011-11-11 07:40 . 2011-11-11 07:40 -------- d-----w- c:\documents and settings\Michael\Application Data\ElevatedDiagnostics
    2011-11-11 06:48 . 2011-11-15 04:22 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
    2011-11-10 23:44 . 2011-11-22 22:21 58288 ----a-w- c:\windows\system32\rpcnet.dll
    2011-11-10 23:44 . 2011-11-10 23:44 58288 ------w- c:\windows\system32\rpcnet.exe
    2011-11-10 13:11 . 2011-11-22 22:21 16896 ----a-w- c:\windows\system32\Rpcnetp.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-10 14:22 . 2009-11-19 04:44 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2004-08-12 13:56 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 18:41 . 2009-10-08 21:57 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 18:41 . 2004-08-12 14:02 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 18:41 . 2004-08-12 14:02 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-06 13:20 . 2004-08-12 14:09 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-09-01 01:00 . 2009-11-20 07:22 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
    "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
    "EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2007-06-06 151552]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-09-01 1047208]
    "Monitor"="c:\documents and settings\Michael\Desktop\LeapFrog Connect\Monitor.exe" [2010-11-19 193880]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\necusb]
    2011-11-11 17:11 37888 ----a-w- c:\windows\system32\nwusbw32.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwusbw32]
    2011-11-11 17:11 37888 ----a-w- c:\windows\system32\nwusbw32.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Documents and Settings\\Michael\\Desktop\\LeapFrog Connect\\LeapFrogConnect.exe"=
    .
    R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [11/18/2009 9:28 PM 3456]
    S2 necusb;NEC USB Device Service;c:\windows\System32\svchost.exe -k necusb3 [8/12/2004 6:06 AM 14336]
    S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [1/13/2011 2:36 PM 18560]
    S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [6/13/2011 10:09 PM 267568]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    necusb3 REG_MULTI_SZ necusb
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 21:15]
    .
    2011-11-22 c:\windows\Tasks\User_Feed_Synchronization-{F43ADB18-8D83-41B0-AB43-5912F756482B}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 12:31]
    .
    2011-11-22 c:\windows\Tasks\Windows Codec Update Service.job
    - c:\program files\Essentials Codec Pack\WECPUpdate.exe [2011-02-27 10:06]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    Trusted Zone: secureserver.net\email17
    Trusted Zone: ucla.edu\remote.mednet
    TCP: DhcpNameServer = 192.168.1.1 68.238.64.12
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
    Notify- - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-11-22 14:21
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(460)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\nwusbw32.dll
    c:\windows\System32\BCMLogon.dll
    .
    - - - - - - - > 'explorer.exe'(852)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\System32\WLTRYSVC.EXE
    c:\windows\System32\bcmwltry.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\documents and settings\Michael\Desktop\LeapFrog Connect\CommandService.exe
    c:\program files\CyberLink\Shared Files\RichVideo.exe
    c:\windows\system32\rpcnet.exe
    c:\windows\system32\SearchIndexer.exe
    c:\program files\Canon\CAL\CALMAIN.exe
    c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
    c:\windows\stsystra.exe
    c:\program files\ATI Technologies\ATI.ACE\cli.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2011-11-22 15:51:36 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-11-22 23:51
    .
    Pre-Run: 26,361,749,504 bytes free
    Post-Run: 26,978,529,280 bytes free
    .
    - - End Of File - - 6E8498087DE84B74E169E6C86F255A50
  9. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Make sure you allow recovery console installation (as my instructions say!) on next Combofix run.

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\nwusbw32.dll
    
    Folder::
    
    Driver::
    necusb
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\necusb]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwusbw32]
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000000
    
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  10. Windex

    Windex TS Rookie Topic Starter Posts: 45

    My internet is stuck "aquiring the address". When I run repair it tells me not able to renew IP address. Not able to connect to the internet beginning with the Combofix. Restart did not resolve the problem. Any suggestions?
  11. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Did it happen after running the latest fix (my previous reply)?
     
  12. Windex

    Windex TS Rookie Topic Starter Posts: 45

    It was the original run that it happened. It happened once before, since the blue screen. and was able to get it going with a restart in "boot logging" mode. Thought it was the wireless and I tried connecting the hard line to the laptop and it still wont connect.
  13. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Please download Farbar Service Scanner and run it on the computer with the issue.
    • Check "Include All Files" option.
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.
  14. Windex

    Windex TS Rookie Topic Starter Posts: 45

    Farbar Service Scanner
    Ran by Michael (administrator) on 27-11-2011 at 11:46:25
    Microsoft Windows XP Service Pack 3 (X86)
    ********************************************************

    Service Check:
    ==============
    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.

    NetBt Service is not running. Checking service configuration:
    Unable to retrieve start type of NetBt. The value might not exist.
    Unable to retrieve ImagePath of NetBt. The value might not exist.


    File Check:
    ===========
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys
    [2004-08-12 06:01] - [2008-04-13 11:21] - 0162816 ____A () 7D093DA5CC1A2BDF3F4FA8CEEE9FE175

    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

    Connection Status:
    ==================
    Localhost is accessible.
    There is no connection to network.
    Attempt to access Google IP returned error: Google IP is unreachable
    Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

    **** End of log ****
  15. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    OK, we have couple of issues there.
    You have registry key missing and netbt.sys file seems to be infected.
    Let's see if we can fix it.

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box and paste it into the main textfield:
      Code:
      :filefind
      netbt.sys
      :reg
      HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt /s
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
  16. Windex

    Windex TS Rookie Topic Starter Posts: 45

    SystemLook 30.07.11 by jpshortstuff
    Log created at 12:43 on 27/11/2011 by Michael
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "netbt.sys"
    C:\WINDOWS\$NtServicePackUninstall$\netbt.sys -----c- 162816 bytes [07:03 19/11/2009] [14:01 12/08/2004] 0C80E410CD2F47134407EE7DD19CC86B
    C:\WINDOWS\ServicePackFiles\i386\netbt.sys -----c- 162816 bytes [19:21 13/04/2008] [19:21 13/04/2008] 74B2B2F5BEA5E9A3DC021D685551BD3D
    C:\WINDOWS\system32\drivers\netbt.sys --a---- 162816 bytes [14:01 12/08/2004] [19:21 13/04/2008] 7D093DA5CC1A2BDF3F4FA8CEEE9FE175

    ========== reg ==========

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt]
    "Tag"= 0x0000000057 (87)

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Linkage]
    "Bind"="\Device\Tcpip_{941BB1AC-C03D-4D54-82DD-A61A395A7AE6} \Device\Tcpip_{E34FBB4B-F263-4BFA-A464-0E2CC4EAF107} \Device\Tcpip_{AF64AB7D-E04E-4636-AF18-A155D7FE42B0} \Device\Tcpip_{7AC9181E-4D4F-4704-BCE5-C770730F05DA}"
    "Route"=""Tcpip" "{941BB1AC-C03D-4D54-82DD-A61A395A7AE6}" "Tcpip" "{E34FBB4B-F263-4BFA-A464-0E2CC4EAF107}" "Tcpip" "NdisWanIp""
    "Export"="\Device\NetBT_Tcpip_{941BB1AC-C03D-4D54-82DD-A61A395A7AE6} \Device\NetBT_Tcpip_{E34FBB4B-F263-4BFA-A464-0E2CC4EAF107} \Device\NetBT_Tcpip_{AF64AB7D-E04E-4636-AF18-A155D7FE42B0} \Device\NetBT_Tcpip_{7AC9181E-4D4F-4704-BCE5-C770730F05DA}"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters]
    "EnableLMHOSTS"= 0x0000000001 (1)
    "TransportBindName"="\Device\"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters\Interfaces]
    (No values found)

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters\Interfaces\Tcpip_{941BB1AC-C03D-4D54-82DD-A61A395A7AE6}]
    "NameServerList"=" "
    "NetbiosOptions"= 0x0000000001 (1)

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters\Interfaces\Tcpip_{E34FBB4B-F263-4BFA-A464-0E2CC4EAF107}]
    "NameServerList"=" "
    "NetbiosOptions"= 0x0000000000 (0)

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Enum]
    "0"="Root\LEGACY_NETBT\0000"
    "Count"= 0x0000000001 (1)
    "NextInstance"= 0x0000000001 (1)


    -= EOF =-
  17. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Registry key is fine but we need to replace netbt.sys file.

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    FCopy::
    C:\WINDOWS\$NtServicePackUninstall$\netbt.sys | C:\WINDOWS\system32\drivers\netbt.sys
    
    File::
    c:\windows\system32\nwusbw32.dll
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\necusb]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwusbw32]
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000000
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  18. Windex

    Windex TS Rookie Topic Starter Posts: 45

    ComboFix 11-11-22.01 - Michael 11/27/2011 13:43:16.2.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.485 [GMT -8:00]
    Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Michael\Desktop\CFScript.txt
    FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    - REDUCED FUNCTIONALITY MODE -
    .
    FILE ::
    "c:\windows\system32\nwusbw32.dll"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    --------------- FCopy ---------------
    .
    c:\windows\$NtServicePackUninstall$\netbt.sys --> c:\windows\system32\drivers\netbt.sys
    .
    ((((((((((((((((((((((((( Files Created from 2011-10-27 to 2011-11-27 )))))))))))))))))))))))))))))))
    .
    .
    2011-11-12 21:15 . 2011-11-12 21:15 -------- d-----w- c:\documents and settings\Michael\Application Data\Windows Search
    2011-11-11 17:11 . 2011-11-11 17:11 37888 ----a-w- c:\windows\system32\nwusbw32.dll
    2011-11-11 08:26 . 2011-11-11 08:29 -------- d-----w- c:\documents and settings\Michael\Application Data\AVG
    2011-11-11 07:50 . 2011-11-11 07:50 -------- d-----w- c:\windows\MATS
    2011-11-11 07:50 . 2011-11-11 07:50 -------- d-----w- c:\program files\Microsoft Fix it Center
    2011-11-11 07:40 . 2011-11-11 07:40 -------- d-----w- c:\documents and settings\Michael\Application Data\ElevatedDiagnostics
    2011-11-11 06:48 . 2011-11-15 04:22 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
    2011-11-10 23:44 . 2011-11-27 18:11 58288 ----a-w- c:\windows\system32\rpcnet.dll
    2011-11-10 23:44 . 2011-11-10 23:44 58288 ------w- c:\windows\system32\rpcnet.exe
    2011-11-10 13:11 . 2011-11-27 21:37 16896 ----a-w- c:\windows\system32\Rpcnetp.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-10 14:22 . 2009-11-19 04:44 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2004-08-12 13:56 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 18:41 . 2009-10-08 21:57 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 18:41 . 2004-08-12 14:02 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 18:41 . 2004-08-12 14:02 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-06 13:20 . 2004-08-12 14:09 1858944 ----a-w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-11-22_22.21.37 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-11-27 18:11 . 2011-11-27 18:11 16384 c:\windows\Temp\Perflib_Perfdata_684.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
    "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
    "EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2007-06-06 151552]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "Monitor"="c:\documents and settings\Michael\Desktop\LeapFrog Connect\Monitor.exe" [2010-11-19 193880]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\necusb]
    2011-11-11 17:11 37888 ----a-w- c:\windows\system32\nwusbw32.dll
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    .
    R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [11/18/2009 9:28 PM 3456]
    S2 necusb;NEC USB Device Service;c:\windows\System32\svchost.exe -k necusb3 [8/12/2004 6:06 AM 14336]
    S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [1/13/2011 2:36 PM 18560]
    S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [6/13/2011 10:09 PM 267568]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    necusb3 REG_MULTI_SZ necusb
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 21:15]
    .
    2011-11-27 c:\windows\Tasks\User_Feed_Synchronization-{F43ADB18-8D83-41B0-AB43-5912F756482B}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 12:31]
    .
    2011-11-27 c:\windows\Tasks\Windows Codec Update Service.job
    - c:\program files\Essentials Codec Pack\WECPUpdate.exe [2011-02-27 10:06]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    Trusted Zone: secureserver.net\email17
    Trusted Zone: ucla.edu\remote.mednet
    TCP: DhcpNameServer = 192.168.1.1 68.238.64.12
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-11-27 13:44
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(632)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\nwusbw32.dll
    c:\windows\System32\BCMLogon.dll
    .
    - - - - - - - > 'explorer.exe'(1116)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-11-27 13:47:21
    ComboFix-quarantined-files.txt 2011-11-27 21:47
    ComboFix2.txt 2011-11-22 23:51
    .
    Pre-Run: 26,946,568,192 bytes free
    Post-Run: 26,934,521,856 bytes free
    .
    - - End Of File - - 1B517C384E66DDBA53F53450726C77E4
  19. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Is your connection back?
  20. Windex

    Windex TS Rookie Topic Starter Posts: 45

    Restarting...
  21. Windex

    Windex TS Rookie Topic Starter Posts: 45

    stuck renewing IP address.
  22. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    More details please.
  23. Windex

    Windex TS Rookie Topic Starter Posts: 45

    The Windows Device manager displays the orbiting ball around the icon. My Dell device manager is showing me that my connection strength is excellent. The Status is unknown. and the Address is "0.0.0.0"

    Right click and run the "repair" function and it disables, enables, and finds connection, then gets hung up on renewing the IP address.

    I have Turned off the Firewall to see if that would help. Still nothing. I did a "configure" on the Dell wireless 1390 mini-card, upon reading a Dell community post on trouble shooting the wireless card, I changed the "Antenna Diversity" to "Aux" and "Disabled" the Minimum Power Consumption and Power Save Mode functions.

    Thinking about rolling back the driver. But am hesitant as I dont want to roll back to something worse.
  24. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Re-run Farbar Service Scanner.
  25. Windex

    Windex TS Rookie Topic Starter Posts: 45

    Farbar Service Scanner
    Ran by Michael (administrator) on 27-11-2011 at 18:50:34
    Microsoft Windows XP Service Pack 3 (X86)
    ********************************************************

    Service Check:
    ==============
    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.

    NetBt Service is not running. Checking service configuration:
    Unable to retrieve start type of NetBt. The value might not exist.
    Unable to retrieve ImagePath of NetBt. The value might not exist.


    File Check:
    ===========
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys
    [2004-08-12 06:01] - [2004-08-12 06:01] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

    Connection Status:
    ==================
    Localhost is accessible.
    There is no connection to network.
    Attempt to access Google IP returned error: Google IP is unreachable
    Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

    **** End of log ****


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.