Similar to the mshp.dll problem below, i am getting a bzxlc.dll homepage

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Andy R, Jun 14, 2004.

Page 1 of 2
  1. Andy R

    Andy R Private E-2

    I have followed all the steps in that thread, and can not get rid of it. Here is my hijackthis:

    Logfile of HijackThis v1.97.7
    Scan saved at 4:35:47 PM, on 6/14/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\sysge32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\apifv.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\WINAMP\winamp.exe
    C:\Documents and Settings\Andy\Desktop\HijackThis.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Messenger\msmsgs.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bzxlc.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bzxlc.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bzxlc.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bzxlc.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bzxlc.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bzxlc.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Dell
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = ,
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
    O2 - BHO: (no name) - {55D1B795-FBD4-3964-ED50-C0083C44B3FF} - C:\WINDOWS\system32\javayr.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [apifv.exe] C:\WINDOWS\system32\apifv.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Aaua] C:\DOCUME~1\Andy\Application Data\dssl.exe
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: PowerReg Scheduler.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O16 - DPF: ConferenceRoom Java Client - http://www.streamchat.com:8000/java/cr.cab
    O16 - DPF: Dialpad Java Applet - http://www.dialpad.com/applet/src/vscp.cab
    O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38111.7666203704
    O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - http://download.microsoft.com/download/vizact2000/Install/10/WIN98Me/EN-US/msorun.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    whenever i remove the bzxlc lines, they just come back as soon as IE is loaded again. At first the "Only the best" pop up was loading, but that is gone now. I get an searching IE window with any google search. I have run Adaware, cwshredder, spybot s&d, and hijackthis. The s&d removed a bunch at first, now the same 2 keep reappearing:
    DSO Expoit (5 get removed)
    TSCash (1 can not get removed, running)

    Thanks for any help.
     
    Andy R, Jun 14, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Get DLLFIX.EXE from: http://tools.zerosrealm.com/dllfix.exe

    1) Save the file to your Desktop, double click dllfix.exe and follow the prompts. This will create a folder called dllfix on your desktop.
    2) Click on this folder and then double click on start.bat.
    3) Select option 1 Run Find-All to scan your PC. This will create a log file.
    4) Post this log back here before running any fixes.
     
    chaslang, Jun 14, 2004
    #2
  3. Andy R

    Andy R Private E-2

    The command window displays when run:

    ERROR: An Extended Memory Manager is already installed. XMS Driver not installed.

    Could Not Find C:\DOCUME~1\Andy\Desktop\dllfix\mdb.txt

    The operation completed successfully

    Error: The system was unable to find the specified registry key or value
    drive.txt
    ver.txt
    up.txt
    file.txt
    appinit.txt
    bhos.txt
    protocols.txt
    key.txt

    1 file(s) copied


    --==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
    --==***@@@ ORIGINAL BY FREEATLAST @@@***==--

    Mon 06/14/2004
    07:27 PM

    System Info:
    Microsoft Windows XP [Version 5.1.2600]
    C: "" (07D0:0817) - FS:FAT clusters:16k
    Total: 29 999 333 376 [28G] - Free: 8 144 420 864 [7.6G]


    *IE version and Service packs:
    6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
    *Notepad version :
    5.1.2600.0 C:\WINDOWS\system32\notepad.exe
    5.1.2600.0 C:\WINDOWS\notepad.exe
    *Media Player version :
    8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;



    Locked or 'Suspect' file(s) found...
    These may be other files that Dllfix doesnt target.


    Scanning for main Hijacker:


    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    @=""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{55D1B795-FBD4-3964-ED50-C0083C44B3FF}]
    @=""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
    @="NAV Helper"

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

    *Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM
     
    Andy R, Jun 14, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First please put HijaakThis.exe in its own folder so that it can save backups.
    For example you could have c:\HijaakThis or c:\SpywareStuff\HijaakThis

    Shutdown all applications and run HijaakThis again and have it fix the following:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bzxlc.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bzxlc.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bzxlc.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bzxlc.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bzxlc.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bzxlc.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = ,
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"


    Boot in safe mode and delete:
    C:\WINDOWS\System32\dp-him.exe
    C:\Program Files\AutoUpdate <=== the whole directory


    This next item may or may not be bad. Do have a Creative Labs sound card in your PC?
    If not, this could be a virus. If it is the virus form file is named devldr32.exe as
    shown but when you use CTRL-ALT-DEL to look at processes you may see something like
    Divx4 Codec X:

    C:\WINDOWS\System32\devldr32.exe

    These three look suspicious to me but leave them for now. Do you have any idea what they are?
    C:\WINDOWS\system32\sysge32.exe
    O4 - HKLM\..\Run: [apifv.exe] C:\WINDOWS\system32\apifv.exe
    O4 - HKCU\..\Run: [Aaua] C:\DOCUME~1\Andy\Application Data\dssl.exe
     
    chaslang, Jun 15, 2004
    #4
  5. Andy R

    Andy R Private E-2

    yes i'm running a sb live sound card. I was also suspiscious of those last 3 entries, but didn't want to remove them. I will try your suggestions and post back here in a little bit. Thanks
     
    Andy R, Jun 15, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try using Windows Explorer and right clicking on each of those 3 suspect files. Then select Properties and then the Version tab. Work your way thru the list of Item names so we can figure out who these belong too.
     
    chaslang, Jun 15, 2004
    #6
  7. Andy R

    Andy R Private E-2

    I removed all of the entries from the top section. Once in safemode, i searched to remove the 2 files/folders and they both were not there. I did a search for the file names and came up with nothing. As for the 3 unknows, the sysge32 was installed on May20, well before any of this, the apifv was installed this morning sometime while i was trying to fix the problems. The last file dssl.exe was not found. After reboot and normal mode, the problem persists. Looking at hijack again, the R1/R0 bzxlc's returned, but the O4's did not.
     
    Andy R, Jun 15, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I need you to look at the version information on those EXE file not the dates.
     
    chaslang, Jun 15, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also can you please do this:

    1) go here and download Registrar lite and install it:
    http://www.resplendence.com/reglite
    2) Run it, copy and paste this line to reglite's address bar:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    3) Click the "go" tab
    4) Find: "Appinit_Dlls" value on the right side panel.
    5) DoubleClick, copy and post what you find in the following fields here in
    your next post....
    -Size:
    -Value:
     
    chaslang, Jun 15, 2004
    #9
  10. Andy R

    Andy R Private E-2

    there is no product or file version for either sysge32.exe or apifv.exe
     
    Andy R, Jun 15, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hmmmmm?

    Okay can you real quick do this:

    Open control panel, select add/remove programs, and see if there is a program called WinShow.
    If so, remove it?
     
    chaslang, Jun 15, 2004
    #11
  12. Andy R

    Andy R Private E-2

    nope its not there, but when i first had the problem, cwshredder detected a winshow item. Since then, cwshedder has been clean
     
    Andy R, Jun 15, 2004
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I wonder if that's the problem. Maybe something you used to cleanup only removed only part of the files. I wonder if we are going to have to reinstall the program so we can uninstall it completely????
     
    chaslang, Jun 15, 2004
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    But first lets try this:

    How To Stop The Messenger Service Pop Ups
    ===========================================
    Disabling these little pop ups messages is probably safe on
    99% of the computers on the planet. Unless your computer is in
    a building that has an administrator who wants you to leave it on,
    you can probably turn it off. This can be done by editing the
    start options of the Messenger Service.
    Disabling Messenger Services
    1. From the Start Menu select Control Panel.
    2. Now select the Administrative Tools menu item.
    3. Then select the Services menu item.
    4. Locate the Messenger service in the list, right-click it and select Properties.
    5. If the service is currently running, click the Stop button (a progress dialog
    will display while Windows attempt to shut the service down).
    6. Click the Startup Type drop-down list and select Manual.
    7. Click the OK button to close the dialog window and you’re finished.
    This will allow the service to start if you really need it for
    something, but it will normally remain off.
     
    chaslang, Jun 15, 2004
    #14
  15. Andy R

    Andy R Private E-2

    it appears this service was currently set to disabled. I'm assuming i should leave it that way?
     
    Andy R, Jun 15, 2004
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes! But can you do what I asked a few posts back? I'll repeat:

    Also can you please do this:

    1) go here and download Registrar lite and install it:
    http://www.resplendence.com/reglite
    2) Run it, copy and paste this line to reglite's address bar:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    3) Click the "go" tab
    4) Find: "Appinit_Dlls" value on the right side panel.
    5) DoubleClick, copy and post what you find in the following fields here in
    your next post....
    -Size:
    -Value:
     
    chaslang, Jun 15, 2004
    #16
  17. Andy R

    Andy R Private E-2

    I'm sorry, i missed that post. I do not see appinit.

    *I really appreciate your time and help - thanks
     
    Andy R, Jun 15, 2004
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay one more thing then I gotta get to sleep. Also look for this in Control Panel/Add or Remove programs and if you find "iefeatsl" remove it.
     
    chaslang, Jun 15, 2004
    #18
  19. Andy R

    Andy R Private E-2

    yeah, i removed that this morning. I should probably get some sleep too. Thanks for the help again
     
    Andy R, Jun 15, 2004
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Send another HijaakThis log when you get a chance. Make sure to shut down all apps before running.

    Talk to ya later!!
     
    chaslang, Jun 15, 2004
    #20
  21. Andy R

    Andy R Private E-2

    Logfile of HijackThis v1.97.7
    Scan saved at 1:15:49 AM, on 6/15/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\sysge32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\apifv.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Andy\Desktop\hijack_spyware_remover\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bzxlc.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bzxlc.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bzxlc.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bzxlc.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bzxlc.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bzxlc.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Dell
    O2 - BHO: (no name) - {55D1B795-FBD4-3964-ED50-C0083C44B3FF} - C:\WINDOWS\system32\javayr.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [apifv.exe] C:\WINDOWS\system32\apifv.exe
    O4 - HKCU\..\Run: [Aaua] C:\DOCUME~1\Andy\Application Data\dssl.exe
    O4 - Global Startup: PowerReg Scheduler.exe
    O16 - DPF: ConferenceRoom Java Client - http://www.streamchat.com:8000/java/cr.cab
    O16 - DPF: Dialpad Java Applet - http://www.dialpad.com/applet/src/vscp.cab
    O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38111.7666203704
    O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - http://download.microsoft.com/download/vizact2000/Install/10/WIN98Me/EN-US/msorun.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    Andy R, Jun 15, 2004
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The crap is back!!! Still getting popups too?
     
    chaslang, Jun 15, 2004
    #22
  23. Andy R

    Andy R Private E-2

    yeah, occasionallyand when i do a google search, it still opens up a new browser window with one of those fake searches
     
    Andy R, Jun 15, 2004
    #23
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay lets use that DLL-Fix program again:

    1) run start.bat again and select 2. Run Fix
    2) select 2. Run Fix without Dll Name It will be searched for Later
    It will start the fix and search for it own its own. It will complete the reset automatically.
    On windows Xp it will reboot in 15 seconds. On Windows 2000 it will ask you to reboot.
    Please do so immediately when asked. It will rerun on bootup. After its completed on bootup it will show a log of what it found.
    Save this log where you can get at it and post it later.

    At this point run full scans with Ad-aware and and SpyBot S&D and allow them to remove what they find.
    Now reboot again and run CWShredder and allow it to fix anything it finds.
    Nowwun HijaakThis and post its log.

    Talk to you tomorrow some time!
     
    chaslang, Jun 15, 2004
    #24
  25. Andy R

    Andy R Private E-2

    also, like the other guy said, i can tell the internet is much slower on initial loads, and it seams as though there is some traffic. I don't know much about these, but i'm assuming there is some sort of data being transfered
     
    Andy R, Jun 15, 2004
    #25
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay try the DLL-Fix thing below.
     
    chaslang, Jun 15, 2004
    #26
  27. Andy R

    Andy R Private E-2

    dllfix has been running all night without completion. Every 10 to 20 seconds a new line is moved on saying:

    Error: The system was unable to find the specified registry key or value

    So its been running about 7-8 hours and no signs of stopping. I'm not sure what exactly the program does, but if its checking every dll file on my computer, that may be the problem. I have many many programs installed that may add up to quiet a few dll files.?
     
    Andy R, Jun 15, 2004
    #27
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sounds like it is not going to find the problem DLL file. That's what it is trying to do. It searches for a hidden DLL that is the cause of problems like these. If you have not already done so, you may as well just abort. We gotta do some more research on this "Only The Best" problem. It looks harder to cure than the about:blank problems that have been a pain. The files shown in Hijaak This look similar though. They must be using another way of hiding the DLL.
     
    chaslang, Jun 15, 2004
    #28
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Andy, A while back your said

    are you sure you did this right. It should look like:
     

    Attached Files:

    chaslang, Jun 15, 2004
    #29
  30. Andy R

    Andy R Private E-2

    Well now when i tried it, there is not even a Windows folder inside the current version folder.
     
    Andy R, Jun 15, 2004
    #30
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    And there was before? Or don't you remember? This does not look right. Maybe we need to chech which folders are under Current Version.
     
    chaslang, Jun 15, 2004
    #31
  32. Andy R

    Andy R Private E-2

    Andy R, Jun 15, 2004
    #32
  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This is strange. Several people here on MG's are reporting the same as you.

    See this link from Microsoft on AppInit_DLLs: http://support.microsoft.com/default.aspx?scid=kb;en-us;197571

    I'm wondering if there is some kind of problem with Administrator priviledges and maybe that is why you cannot see it. See text in the MS link saying:

    "Normally, only the Administrators group and the LocalSystem account have write access to the key containing the AppInit_DLLs value."
     
    chaslang, Jun 15, 2004
    #33
  34. Andy R

    Andy R Private E-2

    yes, this is strange. earlier today I removed the 3 suspicious reg entries and their corresponding exe files. Here is a newer copy of my hijack log


    Logfile of HijackThis v1.97.7
    Scan saved at 7:43:02 PM, on 6/15/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\sdkox.exe
    C:\WINDOWS\system32\d3bg.exe
    C:\Program Files\Registrar Lite\rl.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Screenshot Utility\ScreenshotUtility.exe
    C:\KERB\krbcc32s.exe
    C:\Documents and Settings\Andy\Desktop\hijack_spyware_remover\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bzxlc.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bzxlc.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bzxlc.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bzxlc.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bzxlc.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bzxlc.dll/sp.html#37049
    O2 - BHO: (no name) - {55D1B795-FBD4-3964-ED50-C0083C44B3FF} - C:\WINDOWS\system32\javayr.dll
    O4 - HKLM\..\Run: [d3bg.exe] C:\WINDOWS\system32\d3bg.exe
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab


    I have no idea why it would show the "windows" folder one time, and now its not even there. I will try restarting and checking right away. At this point I am unsure where to take this. I've done net searches for this problem, and it seams this is the only forum talking about it. Let me know what you think. Thanks again
     
    Andy R, Jun 15, 2004
    #34
  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Can I assume since your log is so small you shut down lots of items before running HijaakThis?

    Okay let's take a look at anything that is even questionable (don't fix anything yet let's talk about each):

    C:\WINDOWS\sdkox.exe <==== What's this
    C:\WINDOWS\system32\d3bg.exe <==== What's this
    C:\Program Files\Internet Explorer\IEXPLORE.EXE <=== Next time shutdown all browsers
    C:\KERB\krbcc32s.exe <==== What's this

    Obviously we know all the R0 and R1 items are bad. We just need to find what keeps causing them.
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bzxlc.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bzxlc.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bzxlc.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bzxlc.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bzxlc.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bzxlc.dll/sp.html#37049

    What is this next dll? Is it something for a valid java application?
    O2 - BHO: (no name) - {55D1B795-FBD4-3964-ED50-C0083C44B3FF} - C:\WINDOWS\system32\javayr.dll

    O4 - HKLM\..\Run: [d3bg.exe] C:\WINDOWS\system32\d3bg.exe <=== as above what's this

    By the way what were the names of these:
    "I removed the 3 suspicious reg entries and their corresponding exe files."
     
    chaslang, Jun 15, 2004
    #35
  36. Andy R

    Andy R Private E-2

    These are the 3 I got rid of before:

    C:\WINDOWS\system32\sysge32.exe
    O4 - HKLM\..\Run: [apifv.exe] C:\WINDOWS\system32\apifv.exe
    O4 - HKCU\..\Run: [Aaua] C:\DOCUME~1\Andy\Application Data\dssl.exe

    The running programs sdkox and d3bg are not recognizable to me and don't have any information with them. The krbcc32s was from running kerberos sidecar so i could upload the picture onto my webspace.

    The java entry may be valid, but I don't think i need it in there. And yes i did hide a few entries to reduce the clutter. I was pretty positive about the ones I discluded.
     
    Andy R, Jun 15, 2004
    #36
  37. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! I thought you meant the first three that I mentioned way back as being suspicious but I was not sure.

    See if you can get Company information on sdkox and d3bg (you know right click, properties, version)
     
    chaslang, Jun 15, 2004
    #37
  38. Andy R

    Andy R Private E-2

    again, there is no company information on either of those executables.
     
    Andy R, Jun 15, 2004
    #38
  39. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Let's try renaming those two EXE files to:

    sdkox.exe ----> sdkoxexe.old
    d3bg.exe ----> d3bgexe.old

    You may have to be in safe mode to do that. After rebooting from safe mode run another HijaakThis log before you run anything else. If those strange R0 and R1 entries are still there, try fixing them again. Then try opening and closing IE a few times (maybe go to a few websites) and then check HijaakThis again.
     
    chaslang, Jun 15, 2004
    #39
  40. Andy R

    Andy R Private E-2

    Hey hey,

    So i renamed the files in safemode and then in normal mode i removed just the res: entries. After loading explorer, the problem was back. Here was the log after that:


    Logfile of HijackThis v1.97.7
    Scan saved at 10:49:43 PM, on 6/15/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\sysqz32.exe
    C:\Documents and Settings\Andy\Desktop\hijack_spyware_remover\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bzxlc.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bzxlc.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bzxlc.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bzxlc.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bzxlc.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bzxlc.dll/sp.html#37049
    O2 - BHO: (no name) - {55D1B795-FBD4-3964-ED50-C0083C44B3FF} - C:\WINDOWS\system32\javayr.dll
    O4 - HKLM\..\Run: [d3bg.exe] C:\WINDOWS\system32\d3bg.exe
    O4 - HKLM\..\Run: [sysqz32.exe] C:\WINDOWS\sysqz32.exe
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab


    Then i hijacked again and removed all the R's and the BHO javayr.dll entry and the d3bg entry. After running IE again, everything was fixed so far *crossing fingers*

    I will do some more searching around to make sure its gone. I didn't see any ill effects with renaming those files. Do you think i should just go and delete them?
     
    Andy R, Jun 15, 2004
    #40
  41. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Andy,

    In your documents and settings directory for what ever user name you login with go to the application data directory. Is there a directory called mspt?

    Example: c:\Documents and Settings\username\ Application Data\mspt
     
    chaslang, Jun 15, 2004
    #41
  42. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just leave the files renamed for now. Do not erase your HijaakThis backups or remove anything from your Recycle bin yet. Also we need to be careful. Since system restore could also make these file come back. You may want to consider disabling system restore and then rebooting and run for a while to make sure things are fixed. I hope they are!!!!! :eek:

    Edit: Did you notice this new line:
    C:\WINDOWS\sysqz32.exe
     
    chaslang, Jun 15, 2004
    #42
  43. Andy R

    Andy R Private E-2

    I think there was that folder, but i deleted it and a few others, the other day. And the thing is back, but it has changes its name from bzxlc.dll to pjqmw.dll
     
    Andy R, Jun 15, 2004
    #43
  44. Andy R

    Andy R Private E-2

    yes, i turned my system restore off after this first all started
     
    Andy R, Jun 16, 2004
    #44
  45. Andy R

    Andy R Private E-2

    here is the new log


    Logfile of HijackThis v1.97.7
    Scan saved at 11:04:56 PM, on 6/15/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\sysqz32.exe
    C:\Program Files\AIM95\aim.exe
    C:\Documents and Settings\Andy\Desktop\hijack_spyware_remover\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pjqmw.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://pjqmw.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://pjqmw.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pjqmw.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://pjqmw.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pjqmw.dll/sp.html#37049
    O2 - BHO: (no name) - {9738650B-4BF7-F786-4307-84ABCDBD197D} - C:\WINDOWS\system32\appvd.dll
    O4 - HKLM\..\Run: [sysqz32.exe] C:\WINDOWS\sysqz32.exe
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
     
    Andy R, Jun 16, 2004
    #45
  46. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Andy,

    Download and install PrcView: http://www.majorgeeks.com/download4246.html It will install right into the directory you put it in so you may want to download it to its own directory. Then run the runme.bat file in the PV directory. This brings up a Menu of differnent DLLs to look at. Do not clean anything with it yet. Just take a look at menu selections 1 thru 6 and (this is going to be tedious) start look for any DLLs in the list that do not look right. You can take a look at menu item 10 for info in the program.
     
    chaslang, Jun 16, 2004
    #46
  47. Andy R

    Andy R Private E-2

    i guess these look suspicious:


    COMRes.dll
    CLBCATQ.dll
    appvd.dll <-- this one is on the hijacker, positive this is a bad one
    colbact.dll
    es.dll
    comsvcs.dll
    Ati2evxx.dll
     
    Andy R, Jun 16, 2004
    #47
  48. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What info can you get on appvd.dll from PrcView or by using explorer?


    COMRes.dll - this is for Microsoft
    CLBCATQ.dll - this is for Microsoft
    colbact.dll - this is for Microsoft
    es.dll - this is for Microsoft
    comsvcs.dll - this is for Microsoft
    Ati2evxx.dll - this is most likely for an ATI video card. Is that what you have.
     
    chaslang, Jun 16, 2004
    #48
  49. Andy R

    Andy R Private E-2

    there is no info on that, just like the others. it seems to have taken the place of the javayr.dll. So im thinking once we remove it, a new one will take its place. I have no idea how these keep reproducing. Like i said, i started as the mshp -> bzxlc -> pjqmw
     
    Andy R, Jun 16, 2004
    #49
  50. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There is a file somewhere that spawns this new DLL each time you reboot or run IE. We need to locate that file. We need to track the processes that run so that we can find this. Go here http://www.sysinternals.com/ntw2k/utilities.shtml and download Process Explorer V8.4 and run it and leave it running.

    Then use Hijaak This to fix all the baddies (with IE closed). Now open IE again and see if you can catch any new process other than iexplorer.exe running. It may come and go. There could even be something there before hand that may not show on Task Manager.
     
    chaslang, Jun 16, 2004
    #50
Page 1 of 2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds