WincodeCPRO MONSTER, Please save me

trishschramm · by trishschramm on Mon 02 Nov 2009, 6:22 pm

I have followed all you r instructions, updated everything I should update, I've run Malwarebyte, Spyware Dr. and Smitfraud but this monster keeps coming back. It's disabled my task manager so I cant stop the process. I'm at my wit's end....I'm technologically challanged but I can follow step by step intstructions

If you can help an old gal you will be a hero!

Here's my hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:13:10, on 11/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\derealsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Patricia Schramm\Desktop\hijack this\winlogon.scr
C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~2\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [derealsched] C:\Program Files\Common Files\Real\Update_OB\derealsched.exe
O4 - HKLM\..\Run: [de\Update_OB\derealsched] C:\Program Files\Common Files\Real\Update_OB\derealsched.exe
O4 - HKLM\..\Run: [dederealsched] C:\Program Files\Common Files\Real\Update_OB\derealsched.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-21-1974513741-1537842860-46582326-1010\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (User 'Danny')
O4 - HKUS\S-1-5-21-1974513741-1537842860-46582326-1010\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'Danny')
O4 - HKUS\S-1-5-21-1974513741-1537842860-46582326-1010\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Danny')
O4 - HKUS\S-1-5-21-1974513741-1537842860-46582326-1011\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'David')
O4 - HKUS\S-1-5-21-1974513741-1537842860-46582326-1011\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'David')
O4 - HKUS\S-1-5-21-1974513741-1537842860-46582326-1012\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Steve')
O4 - HKUS\S-1-5-21-1974513741-1537842860-46582326-500\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'Administrator')
O4 - S-1-5-21-1974513741-1537842860-46582326-1010 Startup: Sid Registration.lnk = D:\ATR1.exe (User 'Danny')
O4 - S-1-5-21-1974513741-1537842860-46582326-1010 User Startup: Sid Registration.lnk = D:\ATR1.exe (User 'Danny')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]*.mcafee.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - [You must be registered and logged in to see this link.]
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - [You must be registered and logged in to see this link.]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
O18 - Protocol: bw+0 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {C496B0F9-6D51-4C35-B210-E9F710923FB3} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O21 - SSODL: KbdVolume - {402e78db-0255-473e-9aa9-9dfb31bb1753} - (no file)
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe

--
End of file - 23649 bytes

**Belahzur** · by **Belahzur** on Mon 02 Nov 2009, 6:32 pm

Hello.

Open HijackThis
Choose "Do a system scan only"
Check the boxes in front of these lines:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O4 - HKLM\..\Run: [derealsched] C:\Program Files\Common Files\Real\Update_OB\derealsched.exe
O4 - HKLM\..\Run: [de\Update_OB\derealsched] C:\Program Files\Common Files\Real\Update_OB\derealsched.exe
O4 - HKLM\..\Run: [dederealsched] C:\Program Files\Common Files\Real\Update_OB\derealsched.exe
O21 - SSODL: KbdVolume - {402e78db-0255-473e-9aa9-9dfb31bb1753} - (no file)
Press "Fix Checked"
Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

trishschramm · by trishschramm on Mon 02 Nov 2009, 10:06 pm

I'm on it...thanks for your help!

trishschramm · by trishschramm on Tue 03 Nov 2009, 5:24 am

Fell asleep last night before scan was finished - here's the MBAM log file -

Red X of death is gone from system tray, but desktop still has WARNING video files blah blah blah.....

Malwarebytes' Anti-Malware 1.41
Database version: 3090
Windows 5.1.2600 Service Pack 3

11/3/2009 6:13:06 AM
mbam-log-2009-11-03 (06-13-06).txt

Scan type: Quick Scan
Objects scanned: 193143
Time elapsed: 1 hour(s), 47 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispAppearancePage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

**Belahzur** · by **Belahzur** on Tue 03 Nov 2009, 2:41 pm

Hello.

Download combofix from here
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:

3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
We need to disable your local AV (Anti-virus) before running Combofix.
See [You must be registered and logged in to see this link.] for how to disable your AV.
Double click on ComboFix.exe.
Follow the prompts. NOTE:
ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes
Allow combofix to run
Post C:\combofix.txt back here.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

trishschramm · by trishschramm on Tue 03 Nov 2009, 5:08 pm

On it!

trishschramm · by trishschramm on Tue 03 Nov 2009, 8:49 pm

Oh my gosh - things look normal again but I will await your next instructions or all systems OK....by the way , you are just brilliant!!!

Here's the combofix.txt

ComboFix 09-11-03.01 - Patricia Schramm 11/03/2009 20:35.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.213 [GMT -5:00]
Running from: c:\documents and settings\Patricia Schramm\Desktop\Combo-fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Patricia Schramm\My Documents\registry_archive.reg
c:\windows\jestertb.dll
c:\windows\system32\drivers\npf.sys
c:\windows\system32\FM20(2).DLL
c:\windows\system32\FM20ENU(2).DLL
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\tmp.reg
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))
.

2009-11-04 01:21 . 2009-11-04 01:24 -------- d-----w- C:\Combo-fix
2009-11-03 03:21 . 2009-11-03 05:33 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-11-02 03:08 . 2009-11-02 03:08 -------- d-----w- c:\documents and settings\Patricia Schramm\Application Data\Malwarebytes
2009-11-02 03:08 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-02 03:08 . 2009-11-02 03:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-02 03:08 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-02 03:08 . 2009-11-03 00:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-02 02:35 . 2009-11-02 02:35 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-02 02:31 . 2009-11-02 11:30 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-27 02:18 . 2009-10-27 02:18 -------- d-----w- c:\documents and settings\Danny\Local Settings\Application Data\Threat Expert
2009-10-26 23:06 . 2009-10-26 23:06 -------- d-----w- c:\documents and settings\Patricia Schramm\Local Settings\Application Data\Threat Expert

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 02:29 . 2008-03-21 04:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-02 02:43 . 2003-06-12 09:53 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-26 22:05 . 2008-03-21 04:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-10-25 10:30 . 2007-04-16 03:30 -------- d-----w- c:\documents and settings\LocalService\Application Data\SiteAdvisor
2009-10-24 01:21 . 2003-06-12 09:55 -------- d-----w- c:\documents and settings\Patricia Schramm\Application Data\AdobeUM
2009-10-15 14:21 . 2009-09-19 02:20 -------- d-----w- c:\program files\Common Files\ArcSoft
2009-10-15 14:21 . 2003-05-29 23:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-15 14:18 . 2008-11-28 15:11 -------- d-----w- c:\program files\Philips
2009-10-14 13:55 . 2009-09-19 02:20 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2009-09-29 03:17 . 2009-09-19 02:26 -------- d-----w- c:\program files\Rhapsody
2009-09-22 20:47 . 2009-09-22 20:47 -------- d-----w- c:\documents and settings\David\Application Data\ArcSoft
2009-09-20 03:53 . 2009-09-20 03:52 -------- d-----w- c:\documents and settings\Steve\Application Data\ArcSoft
2009-09-19 02:21 . 2009-09-19 02:21 -------- d-----w- c:\documents and settings\Patricia Schramm\Application Data\ArcSoft
2009-09-16 14:22 . 2007-04-15 21:51 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2007-04-15 21:51 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2007-04-15 21:51 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2007-04-15 21:51 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2007-04-15 21:51 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-12 04:17 . 2007-04-15 21:53 -------- d-----w- c:\documents and settings\Patricia Schramm\Application Data\SiteAdvisor
2009-09-11 14:18 . 2002-08-29 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 23:30 . 2007-08-04 10:48 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SiteAdvisor
2009-09-04 21:03 . 2002-08-29 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 00:45 . 2003-05-29 23:32 95600 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 08:00 . 2002-08-29 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-22 09:07 . 2003-11-30 04:19 95600 -c--a-w- c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-20 19:09 . 2009-08-20 19:09 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-06 23:24 . 2004-08-12 19:38 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-08-12 19:38 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 08:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2004-08-12 19:38 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2002-08-29 10:00 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2002-08-29 10:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-08-12 19:38 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2005-10-12 18:15 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2005-05-26 08:19 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2002-08-29 10:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-10-03 2836376]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-10-08 221184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-04-10 180269]
"SiteAdvisor"="c:\program files\SiteAdvisor\6253\SiteAdv.exe" [2006-07-24 35992]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2003-07-28 323584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"LDM"=c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" boot

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
"LogitechVideoRepair"=c:\program files\Logitech\Video\ISStart.exe
"LogitechVideoTray"=c:\program files\Logitech\Video\LogiTray.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"REGSHAVE"=c:\program files\REGSHAVE\REGSHAVE.EXE /AUTORUN
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"DVDSentry"=c:\windows\System32\DSentry.exe
"Microsoft Works Update Detection"=c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Microsoft Office\\Office10\\POWERPNT.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 Fadpu16E;Fadpu16E;\??\c:\docume~1\David\LOCALS~1\Temp\Fadpu16E.sys --> c:\docume~1\David\LOCALS~1\Temp\Fadpu16E.sys [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-09-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2002-08-29 00:12]

2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-04-15 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: charter.com\www
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\office
Trusted Zone: turbotax.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{472734EA-242A-422B-ADF8-83D1E48CC825} - (no file)
AddRemove-HijackThis - c:\documents and settings\Patricia Schramm\Local Settings\Temporary Internet Files\Content.IE5\ER9FSGLK\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-11-03 21:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1974513741-1537842860-46582326-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(512)
c:\windows\system32\WININET.dll
c:\program files\SiteAdvisor\6253\saHook.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~2\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2009-11-04 21:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-04 02:35

Pre-Run: 3,695,493,120 bytes free
Post-Run: 5,598,994,432 bytes free

**Belahzur** · by **Belahzur** on Wed 04 Nov 2009, 6:58 pm

Please download the [You must be registered and logged in to see this link.].

Save it to your desktop.
Please double-click OTM.exe to run it.
Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:files
C:\Program Files\Common Files\Real\Update_OB\derealsched.exe
Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

trishschramm · by trishschramm on Wed 04 Nov 2009, 8:39 pm

Hey there!

Here's the log:

========== FILES ==========
File/Folder C:\Program Files\Common Files\Real\Update_OB\derealsched.exe not found.

OTM by OldTimer - Version 3.0.0.6 log created on 11042009_213724

trishschramm · by trishschramm on Thu 05 Nov 2009, 8:50 pm

Does this mean my machine is fȋxed?

**DragonMaster Jay** · by **DragonMaster Jay** on Fri 06 Nov 2009, 8:54 am

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

[You must be registered and logged in to see this link.]

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.
- Process << Selected
- Kernel Modules << Selected
- SSDT << Selected
- Kernel Hooks << Selected
- IRP Hooks << NOT Selected
- Ports << NOT Selected
- hȋdden Files << Selected
At the bottom of the page
- hȋdden Objects Only << Selected
Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The
log will be saved automatically in the same folder Sysprot.exe was
extracted to. Open the text file and copy/paste the log here.

trishschramm · by trishschramm on Fri 06 Nov 2009, 11:54 pm

I've tried to post my SysProt log several times but when click paste, your website goes into "Not Responding" mode. Am I doing something wrong? I open the text file, select all, copy, try to paste, then I become a dead player. ???????

trishschramm · by trishschramm on Sat 07 Nov 2009, 12:25 am

Ah HA - I just tried to paste the log, pieces at a time...sent to Post to big page....Now what?

**Doctor Inferno** · by **Doctor Inferno** on Sat 07 Nov 2009, 1:58 am

Hello,

Split the log up into two or more parts.

trishschramm · by trishschramm on Sat 07 Nov 2009, 9:30 am

Part 1
SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No hȋdden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: F1CC2000
Module End: F1CDA000
hȋdden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F8B42000
Module End: F8B44000
hȋdden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwYieldExecution
At Address: 80515A6A
Jump To: F23E37B8
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwUnmapViewOfSection
At Address: 8057DEF1
Jump To: F23E37E4
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwUnloadKey
At Address: 80654DE6
Jump To: F23E38E9
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwTerminateProcess
At Address: 8058E695
Jump To: F23E37FD
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwSetValueKey
At Address: 8058228C
Jump To: F23E387B
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwSetInformationProcess
At Address: 8057CFC0
Jump To: F23E3766
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwSetContextThread
At Address: 80635977
Jump To: F23E377A
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwRestoreKey
At Address: 8065607D
Jump To: F23E3913
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwReplaceKey
At Address: 806564E8
Jump To: F23E3927
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwRenameKey
At Address: 80655B88
Jump To: F23E384F
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwQueryValueKey
At Address: 80573037
Jump To: F23E3891
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwQueryMultipleValueKey
At Address: 8065570C
Jump To: F23E38A7
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwQueryKey
At Address: 80578A14
Jump To: F23E393B
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwProtectVirtualMemory
At Address: 80581889
Jump To: F23E37A2
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwOpenThread
At Address: 805E1941
Jump To: F23E3728
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwOpenProcess
At Address: 80581702
Jump To: F23E3714
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwOpenKey
At Address: 80572BF4
Jump To: F23E3811
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwNotifyChangeKey
At Address: 805E2197
Jump To: F23E38FF
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwMapViewOfSection
At Address: 8057E369
Jump To: F23E37CE
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwEnumerateValueKey
At Address: 80587693
Jump To: F23E38BD
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwEnumerateKey
At Address: 80578E14
Jump To: F23E38D3
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwDeleteValueKey
At Address: 80591F8B
Jump To: F23E3865
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwDeleteKey
At Address: 80593334
Jump To: F23E3839
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwCreateProcessEx
At Address: 8058B7CD
Jump To: F23E3750
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwCreateProcess
At Address: 805B0470
Jump To: F23E373C
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwCreateKey
At Address: 8057791D
Jump To: F23E3825
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwCreateFile
At Address: 8057C328
Jump To: F23E378E
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

******************************************************************************************
******************************************************************************************
hȋdden files/folders:
Object: C:\b\sp2\update\update.exe
Status: Access denied

Object: C:\b\sp2\update
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Acrobat\6.0\AcroForm\MRUFormsList
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Acrobat\6.0\AcroForm
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Acrobat\6.0\AdobeComFnt06.lst
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Acrobat\6.0\Collab\OfflineDocs
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Acrobat\6.0\Collab\Reviews
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Acrobat\6.0\Collab
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Acrobat\6.0\eBooks
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Acrobat\6.0\JSADM.exv
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Acrobat\6.0\Messages\ENU\read0600win_ENUadbe0060.pdf
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Acrobat\6.0\Messages\ENU\read0600win_ENUyhoo0010.pdf
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Acrobat\6.0\Messages\ENU
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Acrobat\6.0\Messages
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Acrobat\6.0\Preferences\AutoFillDefaults.dat
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Acrobat\6.0\Preferences\defaultHeuristics.dat
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Acrobat\6.0\Preferences
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Acrobat\6.0\Security
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Acrobat\6.0\TMGrpPrm.sav
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Acrobat\6.0\Updater\udstore.js
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Acrobat\6.0\Updater
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Acrobat\6.0
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Acrobat
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\AIR\CRLCache\5CB653B2DAF9459B6E8E3796503DD779BAD8DB50.crl
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\AIR\CRLCache
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\AIR\Updater
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\AIR
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Flash Player\AssetCache\JESHH4KL\077BA3FD3A24318B67B13F8297375C8DF03582D8.heu
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Flash Player\AssetCache\JESHH4KL\077BA3FD3A24318B67B13F8297375C8DF03582D8.swz
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Flash Player\AssetCache\JESHH4KL\1C04C61346A1FA3139A37D860ED92632AA13DECF.heu
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Flash Player\AssetCache\JESHH4KL\1C04C61346A1FA3139A37D860ED92632AA13DECF.swz
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Flash Player\AssetCache\JESHH4KL\AF07B46903A6C5D87A24725CB7D50DE352A0383C.heu
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Flash Player\AssetCache\JESHH4KL\AF07B46903A6C5D87A24725CB7D50DE352A0383C.swz
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Flash Player\AssetCache\JESHH4KL\cacheSize.txt
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Flash Player\AssetCache\JESHH4KL\F7536EF0D78A77B889EEBE98BF96BA5321A1FDE0.heu
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Flash Player\AssetCache\JESHH4KL\F7536EF0D78A77B889EEBE98BF96BA5321A1FDE0.swz
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Flash Player\AssetCache\JESHH4KL
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Flash Player\AssetCache
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Flash Player
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Photoshop Album\Log.txt
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Photoshop Album\psa.prf
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Photoshop Album\status.dat
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe\Photoshop Album
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Adobe
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\AdobeUM
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Amazon\MP3 Downloader\DownloadQueue.amz
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Amazon\MP3 Downloader\Settings.xml
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Amazon\MP3 Downloader
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Amazon
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Apple Computer\iTunes\CD Info.cidb
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Apple Computer\iTunes\iPod Software Updates\iPod_19.1.1.3.ipsw
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Apple Computer\iTunes\iPod Software Updates\iPod_19.1.1.3.ipsw.signature
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Apple Computer\iTunes\iPod Software Updates
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Apple Computer\iTunes\iPod Updater Logs\iPodUpdater.log
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Apple Computer\iTunes\iPod Updater Logs
Status: Access denied

Object: C:\Documents and Settings\Danny\Application Data\Apple Computer\iTunes\iTunes Plug-ins
Status: Access denied

WincodeCPRO MONSTER, Please save me

WincodeCPRO MONSTER, Please save me

Re: WincodeCPRO MONSTER, Please save me

Re: WincodeCPRO MONSTER, Please save me

Re: WincodeCPRO MONSTER, Please save me

Re: WincodeCPRO MONSTER, Please save me

Re: WincodeCPRO MONSTER, Please save me

Re: WincodeCPRO MONSTER, Please save me

Re: WincodeCPRO MONSTER, Please save me

Re: WincodeCPRO MONSTER, Please save me

Re: WincodeCPRO MONSTER, Please save me

Re: WincodeCPRO MONSTER, Please save me

Re: WincodeCPRO MONSTER, Please save me

Re: WincodeCPRO MONSTER, Please save me

Re: WincodeCPRO MONSTER, Please save me

Re: WincodeCPRO MONSTER, Please save me