1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Can't get rid of the malware

Discussion in 'Malware Removal' started by mbmadiw, Sep 25, 2011.

  1. mbmadiw

    mbmadiw Corporal

    My friend gave me his computer to fix because he said it was restarting on its own. When you log in, it gets to the Desktop and then restarts.

    In Safe Mode, it'll stay on the Desktop, but there are multiple popups asking you what program you want to open things with. That happens whenever you click on anything too. Right clicking and selecting start will allow you to open a program. There are also redirects when using IE 8.

    I have followed the Read & Run Me First instructions, but had some trouble with certain steps:

    • I cannot uninstall most items. I get an error saying the specified module cannot be found.
      Combo Fix runs but some of the stages say I must use an administrator command prompt. I am logged in with the original computer administrator account.
      Root Repeal won't scan. It says Could not initialize driver. Please contact the author. and then Could not scan drive c (error 0xc0000024) I downloaded it from two different sources, just to be sure that I had received a good copy of the software. I found a reference that said Windows Update will fix this problem. I cannot get Windows Update to start.

    After running all of these scans as best as I could, the computer was still obviously infected and showed the same things happening. I ran all of the scans again, but there was no change. Each time Super AntiSpyware and MalwareBytes run, they find hundreds of items. They clear them, the computer restarts, and they're all back. I run the scans again, repeat, repeat.

    Attached are the logs from the last time I've run everything. I did them in the correct order per the instructions.

    Thank you for your assistance! :wave
     

    Attached Files:

  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Download The Avenger by Swandog46 to your Desktop.

    See the download links under this icon [​IMG]
    Extract avenger.exe from the Zip file and save it to your desktop.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.



    1. Run avenger.exe by double-clicking on it.
    2. Click OK at the warning to continue to use The Avenger
    3. Do not change any of the check box options!
    4. Shut down your protection software now to avoid possible conflicts.
    5. Copy everything in the Quote box below, and paste it into the Input script here: part of The Avenger
    6. Now click the [​IMG] button
    7. Click Yes to the prompt to confirm you want to execute.
    8. Click Yes to the Reboot now? question that will appear when The Avenger finishes running.
    9. Your PC should reboot, if not, reboot it yourself.
    10. A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
    11. Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

    Then attach the below logs:

    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
  3. mbmadiw

    mbmadiw Corporal

    Successful:
    -Downloaded Avenger
    -Ran Hijack This and fixed items per your list
    -Merged fixME.reg into registry and got success message

    Problem:
    1. Opened The Avenger and inserted script, Step 1 successful. Rebooted as directed by the program
    2. Immediately after logging in, the computer rebooted on its own (just like it has been)
    3. I then went into Safe Mode to check for the log file. There was none. I opened The Avenger to check for a log file. It said there are none.
    4. I rebooted again to give it another chance, same thing happened as in items #2 and #3 above.

    Should I go ahead and run the C:\MGtools\GetLogs.bat file?
     
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes.
     
  5. mbmadiw

    mbmadiw Corporal

    OK - Here is the one log that I can attach. :)
    Tell me what's next! Thanks so much.
     

    Attached Files:

  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Nothing was fixed. Let's try it again.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now let's use ComboFix to remove a bunch of malware files.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::
    
    Driver::
    My Web Search Service
    eemldjxq
    ejeffge
    jnmi
    kygtlmwn
    nqwudb
    ppho
    
    File::
    C:\Users\kobebryant\AppData\Roaming\C8C8.9B8
    C:\Users\kobebryant\AppData\Roaming\Microsoft\Windows\Templates\34q37gkmi64pl80qvtj7w66r10y20on1ebds653xcy
    C:\ProgramData\81amysc2c3drnt
    C:\WINDOWS\System32\drivers\eemldjxq.sys
    C:\WINDOWS\System32\drivers\ejeffge.sys
    C:\WINDOWS\System32\drivers\jnmi.sys
    C:\WINDOWS\System32\drivers\kygtlmwn.sys
    C:\WINDOWS\System32\drivers\nqwudb.sys
    C:\WINDOWS\System32\drivers\ppho.sys
    C:\Windows\system32\config\systemprofile\AppData\Local\asi.exe
    C:\Windows\system32\config\systemprofile\AppData\Local\NCor32.dll
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
    "My Web Search Bar Search Scope Monitor"=-
    "MyWebSearch Email Plugin"=-
    
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "2743579992"=-
    "Ososilowadilaki"=-
    
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}]
    
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}]
    
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
    
    
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Note: If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
  7. mbmadiw

    mbmadiw Corporal

    I was able to run HJT and merge the registry changes again. Got the success message.

    I was not able to drop the CFscript.txt file onto the ComboFix icon. Just like when I try to open a program by clicking on the icon, I get a popup asking me what program to run it with. I cannot get past this, because it won't allow me to pick a program. Right clicking on the .txt file and selecting Open With does the same thing.
     
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this. Let's have a fresh look on what is going on.
     
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please go to the below link and scroll down to the exe file fix:

    Fix Exe Association

    Or use THIS ONE.

    Can you now do the ComboFix fix?
     
  10. mbmadiw

    mbmadiw Corporal

    For the exe file association fix, the first link didn't work, but I got a success message with the second one.

    I've attached the ComboFix and GetLogs.bat logs.

    Thank you for your continued work on this problem.
     

    Attached Files:

  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your ComboFix log states that you should try running it again. Please do the fix one more time and attach the new log.
     
  12. mbmadiw

    mbmadiw Corporal

    I ran ComboFix two more times, but both times the logs say it needs to run again. I'm attaching both for your reference.
     

    Attached Files:

  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Crap. Run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

    Then attach the below logs:

    * C:\MGlogs.zip

    But first:

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.



    Download OTL to your desktop.

    Double-click OTL.exe to start the program.

    • Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

    Code:
    :processes
    
    :services
    My Web Search Service
    eemldjxq
    ejeffge
    jnmi
    kygtlmwn
    nqwudb
    ppho
    
    :files
    C:\Users\kobebryant\AppData\Roaming\C8C8.9B8
    C:\Users\kobebryant\AppData\Roaming\Microsoft\Windows\Templates\34q37gkmi64pl80qvtj7w66r10y20on1ebds653xcy
    C:\ProgramData\81amysc2c3drnt
    C:\WINDOWS\System32\drivers\eemldjxq.sys
    C:\WINDOWS\System32\drivers\ejeffge.sys
    C:\WINDOWS\System32\drivers\jnmi.sys
    C:\WINDOWS\System32\drivers\kygtlmwn.sys
    C:\WINDOWS\System32\drivers\nqwudb.sys
    C:\WINDOWS\System32\drivers\ppho.sys
    C:\Windows\system32\config\systemprofile\AppData\Local\asi.exe
    C:\Windows\system32\config\systemprofile\AppData\Local\NCor32.dll
    
    :commands
    [PURITY]
    [EMPTYTEMP]
    [RESETHOSTS]
    [REBOOT]
    
    
    • Then click the Run Fix button at the top.
    • Click the OK button.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
  14. mbmadiw

    mbmadiw Corporal

    • Got the success message for the fixME.reg file.
    • OTL appeared to run correctly, but the log did not open after the reboot. I found a log at C:\_OTL\MovedFiles and have attached that.
    • MGlogs.zip is attached
     

    Attached Files:

  15. mbmadiw

    mbmadiw Corporal

    oops - didn't attach this with the last post
     

    Attached Files:

  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It's looking better, but let's try doing this in normal mode:

    Use add/remove programs to uninstall:
    My Web Search (IWON)

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.



    Double-click OTL.exe to start the program.

    • Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

    Code:
    :processes
    :otl
    O2 - BHO: (no name) - {007358C5-5BD1-43F6-91B1-87217EF02ECa} - C:\Windows\system32\AUDIOKSE32.dll (file missing)
    O2 - BHO: (no name) - {0082DFEF-84A7-4A49-84F7-E96D8292CFDb} - C:\Windows\system32\AUDIOKSE32.dll (file missing)
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (file missing)
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
    O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
    O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKUS\S-1-5-18\..\Run: [2743579992] C:\Windows\system32\config\systemprofile\AppData\Local\asi.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [Ososilowadilaki] rundll32.exe  "C:\Windows\system32\config\systemprofile\AppData\Local\NCor32.dll",Startup (User 'SYSTEM')
    O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
    O23 - Service: My Web Search Service  (MyWebSearchService32) - Unknown owner - C:\Windows\system32\IMJP10K32.exe (file missing)
    
    :files
    C:\cotvrcla.txt
    C:\Windows\system32\config\systemprofile\AppData\Local\asi.exe
    C:\Windows\system32\config\systemprofile\AppData\Local\NCor32.dll
    :commands
    [PURITY]
    [EMPTYTEMP]
    [RESETHOSTS]
    [REBOOT]
    
    
    • Then click the Run Fix button at the top.
    • Click the OK button.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
  17. mbmadiw

    mbmadiw Corporal

    I can't uninstall My Web Search. What should I do?
     
  18. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Try Revo Uninstaller.
    Choose the option on the bottom of the list (#4). Be very careful while deleting the bolded registry items ONLY!! This software will create a system restore point for you as well prior to uninstalling a software program.
     
  19. mbmadiw

    mbmadiw Corporal

    Revo Uninstaller may have worked. When I first clicked to uninstall, it gave me the same dialog box telling me there was an error. However, it did appear to go through the steps and remove everything. (?) After it was done MyWebSearch was no longer in the list.

    analyse.exe seemed to then run fine. fixME.reg got the success message.

    OTL got hung up and froze the computer for quite a long time. Tried again after a reboot, same thing. No log was made for it.

    getlogs.bat ran and the zipped logs folder is attached.
     

    Attached Files:

    Last edited: Sep 30, 2011
  20. mbmadiw

    mbmadiw Corporal

    sorry - not sure if i uploaded the right file and now it won't let me upload it again
     
  21. thisisu

    thisisu Malware Consultant

    No worries. It's attached in post #19
     
  22. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    All of the below needs to be done in NORMAL mode please, not safe mode, unless you actually cannot use normal mode.

    No but it still shows in uninstall a program listing, I can see them all in the newfiles log. Use Revo again and uninstall any of the below if you see them.

    • Ask Toolbar
    • AVG Free 9.0 <--- Outdated and may hinder our fix in my opinion.
    • Java(TM) 6 Update 17 <--- Outdated.
    • Java(TM) SE Runtime Environment 6 Update 1 <--- Outdated.
    • My Web Search (IWON)
    • PC Power Speed 1.0.0.0
    • Norton Security Scan
    • Inbox Toolbar



    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished): (But yours should have already been uninstalled by now)

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    • O1 - Hosts: ÿþ127.0.0.1 localhost
    • O1 - Hosts: ::1 localhost
    • O2 - BHO: (no name) - {007358C5-5BD1-43F6-91B1-87217EF02ECa} - C:\Windows\system32\AUDIOKSE32.dll (file missing)
    • O2 - BHO: (no name) - {0082DFEF-84A7-4A49-84F7-E96D8292CFDb} - C:\Windows\system32\AUDIOKSE32.dll (file missing)
    • O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    • O4 - HKLM\..\Run: [cleanddm] C:\Windows\system32\config\systemprofile\AppData\Local\cleanddm.exe
    • O4 - HKCU\..\Run: [conhost] C:\Users\kobebryant\AppData\Roaming\Microsoft\conhost.exe
    • O4 - HKUS\S-1-5-18\..\Run: [2743579992] C:\Windows\system32\config\systemprofile\AppData\Local\asi.exe (User 'SYSTEM')
    • O4 - HKUS\S-1-5-18\..\Run: [Ososilowadilaki] rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\NCor32.dll",Startup (User 'SYSTEM')
    • O23 - Service: Thread Ordering Server (THREADORDER32) - Unknown owner - C:\Windows\system32\KBDINKAN32.exe (file missing)
    • O23 - Service: Desktop Window Manager Session Manager (UxSms32) - Unknown owner - C:\Windows\system32\msdmo32.exe (file missing)

    After clicking Fix exit HJT.




    Now we need to use ComboFix by sUBs

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::
    
    Driver::
    THREADORDER32
    UxSms32
    
    File::
    C:\Windows\system32\AUDIOKSE32.dll
    C:\WINDOWS\System32\743097211
    C:\WINDOWS\System32\temppf.sys
    C:\Windows\system32\config\systemprofile\AppData\Local\cleanddm.exe
    C:\Users\kobebryant\AppData\Roaming\Microsoft\conhost.exe
    C:\Windows\system32\config\systemprofile\AppData\Local\asi.exe
    C:\Windows\system32\config\systemprofile\AppData\Local\NCor32.dll
    C:\Windows\system32\KBDINKAN32.exe
    C:\Windows\system32\msdmo32.exe
    
    Registry::
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "conhost"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
    "cleanddm"=-
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.



    I want you to run TDSSKiller so refer to the below for how to do so.

    TDSSkiller - How to run



    Please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )


    Now try to run Rootrepeal as well please.


    Now try to run OTL as follows:

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    Attach both of these logs into your next reply.



    SystemLook

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :regfind
      2743579992
      Ososilowadilaki
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt



    Reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6



    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.


    Download and run Win32kDiag per the below instructions:
    • Download this Win32kDiag and save to C:\Win32kDiag.exe. You must save it here!!!!
    • Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log
    C:\win32kdiag.exe -f -r



    Now we need to scan the system with this special tool.
    • Please download Junction.zip and save it to your root folder (C:\Junction.zip)
    • Unzip it and put junction.exe in the root folder (C:\junction.exe)
    • Now click Start => Run... => Copy and paste the following command in the run box and click OK:
      cmd /c junction -s c:\ >C:\log.txt
    • A command prompt window opens and also a license agreement from SysInternals will appear.
    • Accept the license agreement and the scan will begin.
    • Wait until a log file opens. Attach this C:\log.txt when it finishes (the command prompt window will close when it finishes). (How to attach items to your post)
    • NOTE: It scans your whole hard disk so if can take a long time. Be patient and don't do anything else while it is scanning.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
  23. mbmadiw

    mbmadiw Corporal

    I can enter Normal mode, but it restarts the computer within about 30 seconds. This is one of the initial problems that has not yet been corrected. So, I have to do everything in Safe Mode still.

    Revo Uninstaller: I removed every item on your list. For each item, (except MyWebSearch), I got one of the following error messages:
    • Windows Installer service could not be accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance.
    • Running the application's uninstaller failed. Possible invalid uninstall command
    • The Windows Installer service is not accessible in Safe Mode. Please try again . . .
    • Error loading C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsbar.dll. The specified module could not be found.
    However, it still did go through each of the steps saying the program, registry items and extra files were removed.

    HJT: appeared to run successfully

    ComboFix: When dragging the CFscript.txt file onto the icon, I again had the problem of the Open With dialog box popping up. I used the .exe fix to correct it again. ComboFix appeared to run successfully as it has before.

    TDSS Killer: No threats found

    MBR Check: Done

    RootRepeal: Upon opening the program, I get this message: FOPS - DeviceIoControlError! Error Code = 0x0000024 Extended Info (0x00000100)

    OTL: Scan ran. The two notepad windows did not open.

    SystemLook: Ran and Notepad window opened

    Java: Downloaded, but could not run. Error: The Windows Installer service is not accessible in Safe Mode.

    GetLogs.bat: ran

    Win32kDiag: When attempting to run I got this error message: c:\win32kdiag.exe Application not found. I tried to run it by right click, Run as Administrator. It opened and gave a log.

    Junction.exe: Same problem as with win32kdiag. I was unable to run this one by right clicking.


    I am attaching the logs of every one that you requested, as long as they produced a log.
    Thank you for your continued help on this.
     

    Attached Files:

  24. mbmadiw

    mbmadiw Corporal

    Remaining logs that I couldn't attach to last message
     

    Attached Files:

  25. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Double-click OTL.exe to start the program.

    • Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

    Code:
    :processes
    :otl
    O2 - BHO: (Reg Error: Value error.) - {007358C5-5BD1-43F6-91B1-87217EF02ECa} - C:\Windows\system32\AUDIOKSE32.dll File not found
    O2 - BHO: (Reg Error: Value error.) - {0082DFEF-84A7-4A49-84F7-E96D8292CFDb} - C:\Windows\system32\AUDIOKSE32.dll File not found
    O2 - BHO: (MyWebSearch Search Assistant BHO) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL File not found
    O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll File not found
    O2 - BHO: (mwsBar BHO) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL File not found
    O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll File not found
    O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll File not found
    O2 - BHO: (FrostWire Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll File not found
    O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
    O3 - HKLM\..\Toolbar: (My Web Search) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL File not found
    O3 - HKLM\..\Toolbar: (&Crawler Toolbar) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll File not found
    O3 - HKLM\..\Toolbar: (FrostWire Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll File not found
    O3 - HKLM\..\Toolbar: (&Inbox Toolbar) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\PROGRA~1\INBOXT~1\Inbox.dll File not found
    O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll File not found
    O3 - HKCU\..\Toolbar\WebBrowser: (&Crawler Toolbar) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll File not found
    O3 - HKCU\..\Toolbar\WebBrowser: (FrostWire Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll File not found
    O3 - HKCU\..\Toolbar\WebBrowser: (&Inbox Toolbar) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\PROGRA~1\INBOXT~1\Inbox.dll File not found
    O4 - HKLM..\Run: []  File not found
    O4 - HKLM..\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe" File not found
    O4 - HKLM..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe File not found
    O4 - HKLM..\Run: [cleanddm] C:\Windows\system32\config\systemprofile\AppData\Local\cleanddm.exe File not found
    O4 - HKLM..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h File not found
    O4 - HKLM..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe File not found
    
    :files
    C:\ProgramData\58buw8x567u4lj0h5muh1i27tls0vo45a5
    C:\ProgramData\nnrkxa3212pn2yo44twiuj27ui6iqwd
    C:\ProgramData\l727u6qd31hn2kq7144hchw2vtw41c5d5b4omb
    C:\ProgramData\s46818j8p3gi8c5tpls8164006cc2f3ohoum
    C:\Users\kobebryant\AppData\Local\34q37gkmi64pl80qvtj7w66r10y20on1ebds653xcy
    C:\ProgramData\34q37gkmi64pl80qvtj7w66r10y20on1ebds653xcy
    C:\Users\kobebryant\AppData\Local\oxetamew.dll
    C:\Users\kobebryant\AppData\Local\ewokukaseg.dll
    C:\Users\kobebryant\AppData\Local\oxehosozidohu.dll
    C:\Users\kobebryant\AppData\Local\ajotapimo.dll
    C:\Users\kobebryant\AppData\Local\ekowanubilil.dll
    C:\Users\kobebryant\AppData\Local\Xjufuwaru.dat
    C:\Users\kobebryant\AppData\Local\Jqoyifa.bin
    C:\Windows\Tasks\Woumbfg.job
    
    :commands
    [PURITY]
    [EMPTYTEMP]
    [RESETHOSTS]
    [REBOOT]
    
    
    • Then click the Run Fix button at the top.
    • Click the OK button.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
  26. mbmadiw

    mbmadiw Corporal

    got the fixME.reg success message
    OTL and GetLogs.bat seemed to run well
    Logs attached!
     

    Attached Files:

  27. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Uninstall MBAM, reboot and run CCleaner. Then download a new version of MBAM and run it new.

    Then please do the following:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Do a search and see if you can find and delete:
    C:\Windows\system32\config\systemprofile\AppData\Local\asi.exe
    C:\Windows\system32\config\systemprofile\AppData\Local\NCor32.dll

    Double-click SystemLook.exe to run it.
    Copy the content of the following codebox into the main textfield:
    Code:
    :regfind
    2743579992
    Ososilowadilaki
    :file
    2743579992
    Ososilowadilaki
    
    Click the Look button to start the scan.
    When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now re-run OTL and attach that new log.

    Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

    Then attach the below logs:

    * C:\MGlogs.zip


     
  28. mbmadiw

    mbmadiw Corporal

    Successful:
    • uninstalled MBAM
    • ran CCleaner
    • downloaded and ran new MBAM
    • ran analyse.exe
    • ran SystemLook.exe
    • merge fixME.reg (got success message)
    • ran GetLogs.bat
    All requested logs plus mbam log are attached in this and the next message

    Could not find:
    • C:\Windows\system32\config\systemprofile\AppData\Local\asi.exe
    • C:\Windows\system32\config\systemprofile\AppData\Local\NCor32.dll
     

    Attached Files:

  29. mbmadiw

    mbmadiw Corporal

    and here's the last log
     

    Attached Files:

  30. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Much better!!! Your logs are starting to look good.

    Go to start / run / and type:
    services.msc
    When the panel opens, scroll down and find these two services:
    My Web Search Service (MyWebSearchService)
    My Web Search Service (MyWebSearchService32)
    Make sure they are stopped and delete them.

    Now let's run Combo one more time:

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::
    
    Driver::
    wrcqjdf
    
    File::
    C:\WINDOWS\Tasks\Woumbfg.job
    C:\WINDOWS\System32\drivers\wrcqjdf.sys
    
    
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Note: If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Now tell me how things are running.
     
  31. mbmadiw

    mbmadiw Corporal

    glad to hear we're making some progress!

    I found those two items, but couldn't find a way to delete them. Is it because I'm in Safe Mode (can't stay in Normal mode-it restarts), or am I missing something obvious? There is no option in the menu, toolbars or right click menu. Delete key didn't work.

    Ran Combofix twice because I noticed the log said overlay aborted. Says it again in second log which is attached!
     

    Attached Files:

  32. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Double-click OTL.exe to start the program.

    • Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

    Code:
    :processes
    :otl
    :services
    wrcqjdf
    MyWebSearchService
    MyWebSearchService32
    :files
    C:\WINDOWS\Tasks\Woumbfg.job
    C:\WINDOWS\System32\drivers\wrcqjdf.sys
    :commands
    [PURITY]
    [EMPTYTEMP]
    [RESETHOSTS]
    [REBOOT]
    
    
    • Then click the Run Fix button at the top.
    • Click the OK button.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
  33. mbmadiw

    mbmadiw Corporal

    Here are the latest logs! Are we seeing the light at the end of the tunnel? :)
     

    Attached Files:

  34. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Some items are still showing in your MGLogs. Did you run it before doing the OTL fix?

    Please try to run C:\MGtools\GetLogs.bat file in normal mode. And also run RootRepeal.
     
  35. mbmadiw

    mbmadiw Corporal

    I am always doing everything in the exact order you tell me to.

    I cannot run anything in Normal mode. The computer restarts after getting to the desktop.

    I cannot run Root Repeal. Please see the full description of why in my previous posts.
     
  36. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Download this file to your desktop

    Kaspersky Virus Removal Tool

    Run the program you have just downloaded to your desktop (it will be randomly named )

    First we will run a virus scan.

    • On the first tab select all elements down to Computer and then select start scan.
    • Once it has finished select report and post that.


    Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop.

    Now an analysis scan


    • Select the Manual Disinfection tab
    • Press the Gather System Information button
    • Once done , still on the Manual Disinfection tab click the little icon of a file which is the "reports" button. Now click on Manual Disinfection report.You should see an option to save a report here with a little button with an icon of a disk. Attach this log please.
    • The file is located at C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip
     
  37. mbmadiw

    mbmadiw Corporal

    2nd log is attached
    The first log is 65 mb, so I can't attach it. If it helps you know what happened, 34 threats were found.

    what's next?
     

    Attached Files:

  38. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Then break the log up into two logs or zip it up so that TimW can take a look.
     
  39. mbmadiw

    mbmadiw Corporal

    alrighty then - thought the max upload size was 97 kb, now i see I can do more than that with zipped files

    Anyway, the computer is freezing. It can't handle opening a file of that size. TimW-please see the private message I sent about getting the log to you. Thank you.
     
  40. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's try this. Go to start / run and type:
    msconfig
    When it opens, go to services, check the box to hide all MS services and then disable the rest. Then click on the startup tab and disable all those. Now see if you can stay running in normal mode. Let me know.

    I did get your zipped file, nothing was found.
     
  41. mbmadiw

    mbmadiw Corporal

    I did the above steps, but am sorry to report that it still restarted as soon as it gets to the desktop in normal mode.
     
  42. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your issues are not malware related. We still have adaware crap to remove, but it is not the reason for normal mode not working. I suggest you start a thread in the software forum to address that issues.

    In the meantime, we can try to finish cleaning house.

    Use add/remove programs to try to uninstall:
    Ask Toolbar
    Crawler Toolbar
    FrostWire 4.21.3
    Java(TM) SE Runtime Environment 6 Update 1
    My Web Search (IWON)

    You can try using Revo Uninstaller to remove those programs.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Download OTM by Old Timer and save it to your Desktop.


    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.


    Code:
    :Processes
    explorer.exe
    
    :Services
    MyWebSearchService
    MyWebSearchService32
    
    :Files
    C:\Windows\system32\config\systemprofile\AppData\Local\asi.exe
    C:\Windows\system32\config\systemprofile\AppData\Local\NCor32.dll
    C:\PROGRAM FILES\MYWEBSEARCH
    
    :Reg
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
    "My Web Search Bar Search Scope Monitor"=-
    "MyWebSearch Email Plugin"=-
    
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "2743579992"=-
    "Ososilowadilaki"=-
    
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{007358C5-5BD1-43F6-91B1-87217EF02ECa}]
    
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0082DFEF-84A7-4A49-84F7-E96D8292CFDb}]
    
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}]
    
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}]
    
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}]
    
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
    
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    
    :Commands
    [purity]
    [ResetHosts]
    [createrestorepoint]
    [emptytemp]
    [start explorer]
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.


    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach this log file to your next message.

    Now download and install:
    Java Runtime 7
     

Share This Page

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds