help removing spyfalcon (now with NEW logfiles)

matt24_02 · May 6, 2006

i dunno what happened with my computer today but all of a sudden i was pounded with adware and spyware earlier today. ive been running scans all day with all sorts of programs. and i still cant get rid of this program called spyfalcon. which is a rogue antispyware. which was installed on my computer by some trojan.popuper. im completely out of ideas on what to do. so hopefully somebody can help me out with my problem cause im going insane trying to get rid of this. ive tried system restore but it wont let me restore to any day that has a restore point.

smaan · May 6, 2006

ironic, i had the same problem today.i uninstalled spyfalcon, then i installed a software called Prevx1. when you install it, it should automatically do a scan. it takes a while. after the scan is complete, shut download Prevx1 and uninstall it. i suggest this because, if you keep it on, it will always tell you that you have an infection, and have to run a scan. this scan takes much longer than it would take with ad aware, so i suggest that, after you remove this Prevx1, run an ad aware scan. ad aware, however does not remove spyfalcon

download link for Prevx1

http://free.prevx.com/

and by the way, Prevx1 is a free trial

good luck

smaan

ddp · May 6, 2006

download, update & run in this order.
ccleaner http://www.ccleaner.com/
cwshredder http://www.intermute.com/products/cwshredder.html
ad-aware se http://www.download.com/Ad-Aware-SE...045910.html?part=dl-ad-aware&subj=dl&tag=top5
spybot s&d http://www.majorgeeks.com/download2471.html
online virus & spyware scan http://housecall60.trendmicro.com/en/start_corp.asp

matt24_02 · May 6, 2006

ran all those items in that order. and theres still an icon in my task bar blinking saying that i have a virus. this is the thing thats spyfalcon. and its still there. i dont know what else to do here guys. anything else?

forgot to mention that spyfalcon does not appear under add/remove programs.

yompie · May 6, 2006

you can get rid of Spyfalcon.
The Programm to use is Xoftspy.

matt24_02 · May 6, 2006

tried that program too. and it was still there. but i remembered one of the scans i ran showed a file that was infected. so i just went into safe mode and deleted it. rebooted and now its gone. or atleast theres nothing on the taskbar anymore telling me that my system is infected. so im gunna run a virus scan and see if im all clean.

ddp · May 6, 2006

do you know how to use regedit?

JaPK · May 6, 2006

@matt24_02

Your smitfraud infection is propably not completely gone... In order to remove it completely, it usually requires its own fix.

Please post a HijackThis log to here, instructions -> http://forums.afterdawn.com/thread_view.cfm/263784
(steps 3-5)

Then download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Unzip it (folder named SmitFraudFix) to your desktop:

Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)

Post the contents of this textfile to here.

(Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)

So post a HijackThis log and a Smitfraudfix log to here and we can see if you are clean.

matt24_02 · May 7, 2006

Logfile of HijackThis v1.99.1
Scan saved at 11:37:20 AM, on 5/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\setup programs\utorrent.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Netscape\Netscape Browser\netscape.exe
C:\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [µTorrent] "C:\setup programs\utorrent.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Dbad] "C:\PROGRA~1\PPATCH~1\arpa.exe" -vt yazr
O4 - HKCU\..\Run: [Wtxyrrl] C:\Documents and Settings\Gill\My Documents\??sks\d?xplore.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{367C827C-4197-4868-A95B-BA6933F02F7D}: NameServer = 65.114.88.19,65.114.88.18
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6A8A302-51A9-4A21-9DD1-7FFB303ABEB7}: NameServer = 65.114.88.19,65.114.88.18
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

matt24_02 · May 7, 2006

SmitFraudFix v2.40

Scan done at 11:41:19.46, Sun 05/07/2006
Run from C:\Documents and Settings\Gill\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\1024\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Gill\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Gill\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{35a88e51-b53d-43e9-b8a7-75d4c31b4676}"="Register LogWare"

[HKEY_CLASSES_ROOT\CLSID\{35a88e51-b53d-43e9-b8a7-75d4c31b4676}\InProcServer32]
@="C:\WINDOWS\system32\reglogs.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{35a88e51-b53d-43e9-b8a7-75d4c31b4676}\InProcServer32]
@="C:\WINDOWS\system32\reglogs.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

hiphophd · May 7, 2006

i had this couple of weeks ago. found the answer on google (although a lot of googles results didnt work).

this might be the one i cant remember (worth a shot):

http://www.spywareremove.com/removeSpy_Falcon.html

JaPK · May 7, 2006

Hi again matt24_02.

You don't have a firewall on your computer. Download and install one firewall.

These are good (free) firewalls:
ZoneAlarm --> http://www.zonelabs.com
Kerio--> http://www.sunbelt-software.com/Kerio.cfm
Outpost-> http://www.agnitum.com

Ok, you have that smitfraud and some other infections too....

Cleaning instructions:

Download and install Ewido, UPDATE it, but do NOT run a scan yet. -> http://www.ewido.net/en/download
We'll use it later.

Fix the following entries with HijackThis (run HijackThis, press "Do a system scan only", close all other windows, checkmark entries and press Fix checked):

R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [Dbad] "C:\PROGRA~1\PPATCH~1\arpa.exe" -vt yazr
O4 - HKCU\..\Run: [Wtxyrrl] C:\Documents and Settings\Gill\My Documents\??sks\d?xplore.exe

Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html

Restart your computer to the safemode and choose your normal user account -> http://www.pchell.com/support/safemode.shtml

Delete these folders (if found):
C:\PROGRAM FILES\PPATCH~1
C:\Documents and Settings\Gill\My Documents\??sks (these -> ?? are some random letters)

When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd
Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.

You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.

The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".

The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
A textfile will appear after the cleaning process, copy this file and paste it to here.
Tha log is saved to your local diskdrive, usually C:\rapport.txt.

Warning : Running option 2 in a clean computer will delete your desktop wallpaper.

Scan and clean your computer with Ewido and save the log file.

Make your hidden files invisible again.

Post the following logs to here:
-> Ewido's log
-> a new HijackThis log
-> contents of C:\rapport.txt

matt24_02 · May 7, 2006

SmitFraudFix v2.40

Scan done at 13:54:41.14, Sun 05/07/2006
Run from C:\Documents and Settings\Gill\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\hp????.tmp Deleted
C:\WINDOWS\system32\1024\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End

matt24_02 · May 7, 2006

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:16:12 PM, 5/7/2006
+ Report-Checksum: 55B58CA0

+ Scan result:

:mozilla.21:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.122:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.127:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.131:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned with backup
:mozilla.147:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Spylog : Cleaned with backup
:mozilla.148:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.149:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.150:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.151:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.154:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.155:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.156:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.157:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.158:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.159:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.160:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.170:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.171:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.172:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.173:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.174:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.175:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.176:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.214:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.215:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.226:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.227:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.228:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.229:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.261:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.262:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.289:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.290:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.291:C:\Documents and Settings\Gill\Application Data\Netscape\NSB\Profiles\szfrvm7n.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Gill\Cookies\gill@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Gill\Cookies\gill@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Gill\Cookies\gill@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Gill\Cookies\gill@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Gill\Cookies\gill@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Gill\Cookies\gill@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Gill\Cookies\gill@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Gill\Cookies\gill@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Gill\Cookies\gill@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Gill\Cookies\gill@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Gill\Cookies\gill@z1.adserver[2].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\WINDOWS\mtuninst.exe -> Adware.MediaTickets : Cleaned with backup

::Report End

matt24_02 · May 7, 2006

Logfile of HijackThis v1.99.1
Scan saved at 2:18:08 PM, on 5/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\setup programs\utorrent.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Netscape\Netscape Browser\netscape.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [µTorrent] "C:\setup programs\utorrent.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{367C827C-4197-4868-A95B-BA6933F02F7D}: NameServer = 65.114.88.19,65.114.88.18
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6A8A302-51A9-4A21-9DD1-7FFB303ABEB7}: NameServer = 65.114.88.19,65.114.88.18
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

JaPK · May 7, 2006

Hi matt24_02, you're clean now

But install a firewall...

HKS069 · May 12, 2006

same problem spyfalcon...here is my smitfraudfix logfile...

SmitFraudFix v2.43

Scan done at 9:24:56.04, Sat 05/13/2006
Run from C:\Documents and Settings\George Mallia\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\country.exe FOUND !
C:\WINDOWS\toolbar.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\appmagr.dll FOUND !
C:\WINDOWS\system32\ld????.tmp FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\regperf.exe FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\1024\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\George Mallia\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\GEORGE~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{64ba30a2-811a-4597-b0af-d551128be340}"="AppManager"

[HKEY_CLASSES_ROOT\CLSID\{64ba30a2-811a-4597-b0af-d551128be340}\InProcServer32]
@="C:\WINDOWS\system32\appmagr.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{64ba30a2-811a-4597-b0af-d551128be340}\InProcServer32]
@="C:\WINDOWS\system32\appmagr.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

JaPK · May 13, 2006

Hi HKS069.

I posted an answer to you in here -> http://forums.afterdawn.com/thread_view.cfm/340510

Log in or Sign up

help removing spyfalcon (now with NEW logfiles)

matt24_02 Member

smaan Member

ddp Moderator Staff Member

matt24_02 Member

yompie Member

matt24_02 Member

ddp Moderator Staff Member

JaPK Regular member

matt24_02 Member

matt24_02 Member

hiphophd Member

JaPK Regular member

matt24_02 Member

matt24_02 Member

matt24_02 Member

JaPK Regular member

HKS069 Member

JaPK Regular member

Share This Page

Log in or Sign up

help removing spyfalcon (now with NEW logfiles)

matt24_02 Member

smaan Member

ddp Moderator Staff Member

matt24_02 Member

yompie Member

matt24_02 Member

ddp Moderator Staff Member

JaPK Regular member

matt24_02 Member

matt24_02 Member

hiphophd Member

JaPK Regular member

matt24_02 Member

matt24_02 Member

matt24_02 Member

JaPK Regular member

HKS069 Member

JaPK Regular member

Share This Page

Useful Searches