Jump to content


Photo

I give up. Need Help w/about.blank


  • Please log in to reply
18 replies to this topic

#1 triplem

triplem

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 01 July 2004 - 05:08 PM

I have done everything I know to do, and read forum after forum, but cannot get rid of it. Run ad aware, sypbot, spysweeper in safe mode, find infected files, delete them. Then run hijackthis, find the bad entries, but hijackthis errors out, cannot repair. Here is the error message from hijackthis.

An unexpected error has occurred at procedure: cmdFix_Click()
Error #75 - Path/File access error (28 items in results list)
Please email me at merijn@spywareinfo.com, reporting the following:
* What you were doing when the error occurred
* How you can reproduce the error
* A complete HijackThis scan log, if possible
Windows version: Windows NT 5.00.2195
MSIE version: 6.0.2800.1106
HijackThis version: 1.98.0
This message has been copied to your clipboard.

Here is my latest hijackthis log, with nothing ignored.

Logfile of HijackThis v1.98.0
Scan saved at 4:57:21 PM, on 7/1/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NORTON~1\NORTON~4\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~4\npssvc.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mqsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~4\alertsvc.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Smart Protector Pro\SmartProtectorPro.exe
C:\WINDOWS\system32\mobsync.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus NT\NAVAPW32.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\SPYWARE TOOLS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7DBACA28-97F0-4CEC-A115-E1C552F3DFB9} - c:\windows\system32\lmofj.dll (file missing)
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\NORTON~1\NORTON~4\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\NORTON~4\defalert.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [SPSTEALT] "C:\Program Files\Smart Protector Pro\SmartProtectorPro.exe" /stealt
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton SystemWorks\Norton Antivirus NT\NAVAPW32.EXE
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O16 - DPF: symsupportutil - https://www-secure.s...supportutil.CAB
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...Transporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse....eX/FileXfer.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A8C572A-1294-4B38-934A-A2E6C204740E}: NameServer = 207.191.50.10,207.191.1.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{4A8C572A-1294-4B38-934A-A2E6C204740E}: NameServer = 207.191.50.10,207.191.1.10
O17 - HKLM\System\CS2\Services\Tcpip\..\{4A8C572A-1294-4B38-934A-A2E6C204740E}: NameServer = 207.191.50.10,207.191.1.10
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - (no file)

#2 triplem

triplem

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 02 July 2004 - 04:04 PM

After I posted yesterday, and got no replies, I tried again this morning. I thought I had it gone. Worked on my computer for more than four hours today, with no problems. Went to spyware warrior forum looking around, and was hijacked while I was there. I have read the FAQ, and followed the instructions yesterday and today. I ran ad aware three times and spy bot once, both in safe mode. They both show clean. Rebooted and ran hijack this. Here is the log. Please, Please Help.

Logfile of HijackThis v1.98.0
Scan saved at 3:50:55 PM, on 7/2/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NORTON~1\NORTON~4\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~4\npssvc.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~4\alertsvc.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Smart Protector Pro\SmartProtectorPro.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus NT\NAVAPW32.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E5195BE-25C9-44C7-A2D9-1BCB1E7B6CD4} - c:\windows\system32\cck.dll (file missing)
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\NORTON~1\NORTON~4\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\NORTON~4\defalert.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [SPSTEALT] "C:\Program Files\Smart Protector Pro\SmartProtectorPro.exe" /stealt
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton SystemWorks\Norton Antivirus NT\NAVAPW32.EXE
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O16 - DPF: symsupportutil - https://www-secure.s...supportutil.CAB
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...Transporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse....eX/FileXfer.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A8C572A-1294-4B38-934A-A2E6C204740E}: NameServer = 207.191.50.10,207.191.1.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{4A8C572A-1294-4B38-934A-A2E6C204740E}: NameServer = 207.191.50.10,207.191.1.10
O17 - HKLM\System\CS2\Services\Tcpip\..\{4A8C572A-1294-4B38-934A-A2E6C204740E}: NameServer = 207.191.50.10,207.191.1.10
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - (no file)

#3 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 03 July 2004 - 09:52 AM

Re-download HijackThis (don't use the update feature, you must get a NEW copy) A patched version was released today.

Open Control Panel>Add/Remove applet and uninstall Weather Bug <----<---Optional but Highly recommended to remov. While not spyware itself it can open you up to attacks

Press Ctrl+Alt+Del and 'end task' on any of the follow that are present
C:\Program Files\AWS\WeatherBug\Weather.exe
Put a check next to these in hijackthis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {7E5195BE-25C9-44C7-A2D9-1BCB1E7B6CD4} - c:\windows\system32\cck.dll (file missing)
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 <---Optional
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE <---Optional but Highly recommended to remove not needed at start and huge resource hog

THEN WITH ALL OTHER WINDOWS CLOSED ,press "Fix".

Make sure you are set to Show Hidden Files and Folders and delete the following files/folders:-

C:\Program Files\AWS\ <---Optional, only delete if removed above in 04)ENTIRE FOLDER!!
Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)
[*]C:\Windows\Temp\
[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\
[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <---This will delete your internet cache--including cookies. This is recommended and strongly suggested.
[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\
[*]Empty your "Recycle Bin"


If you already have and use Ad-Aware make sure you are updated and use the setting in the 'speech' below:
Now download Ad-Aware at http://www.lavasoftu...pport/download/
After installing AAW, and before running the program, FIRST update the reference file following these instructions.
- On the main AdAware screen hit the Check for Updates, hit the 'Connect' key; it will then connect, check for then ask if you want to download latest Ref. files (if one is available), accept. Once downloaded hit "Finish" (Green Checkmark)

Now do the following:

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."

Press "Scan Now"

- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys. Click 'Next' again
Right-click in that pane and choose "select all"

If it finds "bad" files and registry keys, press "Next" again
It will ask you whether you'd like to remove all checked items. Click OK.

Finally, close Ad-Aware, and reboot.
Make sure you have version 1.3 of Spybot as 1.2 is no longer updated.
Go here download Spybot S&D. Install Spybot, close all other windows and run it. [b]ALWAYS[b] use the search for update button when you first open Spybot. Let Spybot download and install any updates it finds..Now you are ready to click the Check for problems button. Let Spybot fix any entries marked in RED

Then Reboot and post a fresh log back to this thread.
Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

#4 triplem

triplem

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 06 July 2004 - 02:10 PM

jwbirdsong.
Followed your above instructions. Ran AAW, found problems, let AAW fix them.
Rebooted, ran Spybot 1.3 w/updates, found no problems. Ran AAW again, this time found no problems. Here is latest hijackthis log. version 1.98.

Logfile of HijackThis v1.98.0
Scan saved at 2:06:26 PM, on 7/6/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NORTON~1\NORTON~4\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~4\npssvc.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\mqsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~4\alertsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Smart Protector Pro\SmartProtectorPro.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus NT\NAVAPW32.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MICHAE~1.DOM\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MICHAE~1.DOM\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MICHAE~1.DOM\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MICHAE~1.DOM\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MICHAE~1.DOM\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MICHAE~1.DOM\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7D99A9BC-DAA7-409B-964E-948439C1344C} - c:\my downloads\backups\backup-20040630-192210-991.dll (file missing)
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\NORTON~1\NORTON~4\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\NORTON~4\defalert.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\Run: [Eoth] C:\Documents and Settings\Michael.DOMAIN\Application Data\cocc.exe
O4 - HKCU\..\Run: [SPSTEALT] "C:\Program Files\Smart Protector Pro\SmartProtectorPro.exe" /stealt
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton SystemWorks\Norton Antivirus NT\NAVAPW32.EXE
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O16 - DPF: symsupportutil - https://www-secure.s...supportutil.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse....eX/FileXfer.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A8C572A-1294-4B38-934A-A2E6C204740E}: NameServer = 207.191.50.10,207.191.1.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{4A8C572A-1294-4B38-934A-A2E6C204740E}: NameServer = 207.191.50.10,207.191.1.10
O17 - HKLM\System\CS2\Services\Tcpip\..\{4A8C572A-1294-4B38-934A-A2E6C204740E}: NameServer = 207.191.50.10,207.191.1.10
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - (no file)
O18 - Filter: text/html - {F007AF03-2045-4F0B-B84B-B4EEB6E28B0A} - c:\my downloads\backups\backup-20040630-192210-991.dll
O18 - Filter: text/plain - {F007AF03-2045-4F0B-B84B-B4EEB6E28B0A} - c:\my downloads\backups\backup-20040630-192210-991.dll

#5 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 06 July 2004 - 04:01 PM

Download and install:

"FINDnFIX.exe" from http://freeatlast100...om/FINDnFIX.exe or http://downloads.sub...rg/FINDnFIX.exe

Run the "!LOG!.bat" file, wait for the final output (log.txt)
post the results here in this same thread along with a fresh HijackThis log.
Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

#6 triplem

triplem

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 06 July 2004 - 06:16 PM

Here are the latest FindnFix and hijackthis logs.


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗*** freeatlast100.100free.com ***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

Microsoft Windows 2000 [Version 5.00.2195]
╗╗╗IE build and last SP(s)
6.0.2800.1106 SP1-Q837009-Q832894
The type of the file system is NTFS.
C: is not dirty.

Tue 07/06/2004
6:08pm up 0 days, 0:38

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG!***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

Scanning for file(s)...
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗╗╗╗ (*1*) ╗╗╗╗╗ .........
╗╗Locked or 'Suspect' file(s) found...

C:\WINDOWS\System32\CTLO.DLL +++ File read error
\\?\C:\WINDOWS\System32\CTLO.DLL +++ File read error

╗╗╗╗╗ (*2*) ╗╗╗╗╗........
**File C:\FINDnFIX\LIST.TXT
CTLO.DLL Can't Open!

╗╗╗╗╗ (*3*) ╗╗╗╗╗........

C:\WINDOWS\SYSTEM32\
ctlo.dll Fri Jun 18 2004 7:47:14p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

No matches found.

╗╗╗╗╗ (*4*) ╗╗╗╗╗.........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\CTLO.DLL


╗╗╗╗╗(*5*)╗╗╗╗╗
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
» Access denied « ..................... CTLO.DLL .....57344 18.06.2004

╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗

╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

╗╗Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


╗╗Member of...: (Admin logon required!)
User is a member of group DOMAIN\Domain Admins.
User is a member of group \Everyone.
User is a member of group COMPAQDPMM\Debugger Users.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
User is a member of group \LOCAL.

╗╗ Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


╗╗Notepad check....

C:\WINDOWS\
notepad.exe Tue Jun 29 2004 6:33:32p A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K

C:\WINDOWS\SYSTEM32\
notepad.exe Tue Dec 7 1999 7:00:00a A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K

C:\WINDOWS\SYSTEM32\DLLCACHE\
notepad.exe Tue Dec 7 1999 7:00:00a A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K
--a-- W32i APP ENU 5.0.2140.1 shp 50,960 12-07-1999 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft® Windows ® 2000 Operating System
ProductVersion 5.00.2140.1
FileVersion 5.00.2140.1
LegalCopyright Copyright © Microsoft Corp. 1981-1999

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050000:085c0001 (5.0:2140.1)
ProdVer: 00050000:085c0001 (5.0:2140.1)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000

╗╗Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000013 tco- 001F01FF ---- DSPO rw+x \Everyone
Allow 00000013 tco- 001F01FF ---- DSPO rw+x COMPAQDPMM\MICHAEL

Owner: BUILTIN\Administrators

Primary Group: DOMAIN\Domain Admins



╗╗╗╗╗╗Backups created...╗╗╗╗╗╗
6:11pm up 0 days, 0:41
Tue 07/06/2004

A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 07-06-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 07-06-2004 winkey.reg

╗╗Performing string scan....
00001150: ?
00001190: 8 P
000011D0: vk : AppInit_DLLsc 0 C : \ W I N D O W S
00001210:\ s y s t e m 3 2 \ c t l o . d l l vk h \
00001250:DeviceNotSelectedTimeout 1 5 ` 0 vk
00001290: ' GDIProcessHandleQuota vk
000012D0:Spooler y e s , vk , swapdisk
00001310: vk @ TransmissionRetryTimeout 9 0 `
00001350: vk ' " USERProcessHandleQuota
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- WIN.TXT
AppInit_DLLsc
--------------
--------------
C:\WINDOWS\system32\ctlo.dll
yes
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710


**File C:\FINDnFIX\WIN.TXT
        Ó   đ 8 ł Ş ­  P ě   vk : °   AppInit_DLLsc 0 └   C : \ W I N D O W S \ s y s t e m 3 2 \ c t l o . d l l đ   vk  h   \ DeviceNotSelectedTimeoutÓ   1 5  `ň ░ň Ŕň 0 đ   vk  Ç'   GDIProcessHandleQuota Ó   vk  ě   Spooler Ŕ   y e s , » 


Logfile of HijackThis v1.98.0
Scan saved at 6:13:53 PM, on 7/6/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NORTON~1\NORTON~4\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~4\npssvc.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\System32\mqsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~4\alertsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Smart Protector Pro\SmartProtectorPro.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus NT\NAVAPW32.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MICHAE~1.DOM\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MICHAE~1.DOM\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MICHAE~1.DOM\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MICHAE~1.DOM\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MICHAE~1.DOM\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MICHAE~1.DOM\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {58911F4B-CE36-457B-9191-D6A8EA662455} - c:\windows\system32\odenkia.dll (file missing)
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\NORTON~1\NORTON~4\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\NORTON~4\defalert.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\Run: [Eoth] C:\Documents and Settings\Michael.DOMAIN\Application Data\cocc.exe
O4 - HKCU\..\Run: [SPSTEALT] "C:\Program Files\Smart Protector Pro\SmartProtectorPro.exe" /stealt
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton SystemWorks\Norton Antivirus NT\NAVAPW32.EXE
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O16 - DPF: symsupportutil - https://www-secure.s...supportutil.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse....eX/FileXfer.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A8C572A-1294-4B38-934A-A2E6C204740E}: NameServer = 207.191.50.10,207.191.1.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{4A8C572A-1294-4B38-934A-A2E6C204740E}: NameServer = 207.191.50.10,207.191.1.10
O17 - HKLM\System\CS2\Services\Tcpip\..\{4A8C572A-1294-4B38-934A-A2E6C204740E}: NameServer = 207.191.50.10,207.191.1.10
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - (no file)

#7 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 06 July 2004 - 07:15 PM

This will take couple or more steps to fix.
Be sure to Follow the next set of steps carefully, in
the exact order specified:


-Open the FINDnFIX\Keys1 Subfolder!
- Locate the "MOVEit.bat" file, Right-Click on
it,select->edit:
The file will open as text file.
-Copy and paste the entire hilited line in the following quote box
(all one line) into the 'MOVEit' file, replacing it's contents:

move %WinDir%\System32\CTLO.DLL %SystemDrive%\junkxxx\CTLO.DLL



Be sure to Replace the text in the file with
the command above!


-Save the file and close.

*Get ready to restart your computer:
-In the same folder, DoubleClick on the "FIX.bat" file.
You will be prompted by popup -Alert to restart in 15 seconds.
-Allow it to restart the computer!

-On restart, Navigate to:
C:\FINDnFIX\ main folder:
-DoubleClick on the "RESTORE.bat" file.

It'll run and produce new log. (log1.txt) post it here!

We need to get rid of your temp.sp.html then finish cleaning up HJTlog
Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

#8 triplem

triplem

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 06 July 2004 - 07:26 PM

When I right click MOVEit.bat, I do not get an edit option. I get

Scan with Norton Anti virus
Winzip
Send to
Cut
Copy
Create Shortcut
Delete
Rename
Properties

Am I not understanding your instructions?
Thanks

#9 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 06 July 2004 - 07:34 PM

No you understand just fine...some "hacked " version of XP dont have the edit option..

You can either manualy open Moveit.bat w/ notepad and make the replacement OR do the following in the quote box

*Get ready to restart:
- DoubleClick on the "FIX.bat" file in the 'FINDnFIX'\Keys1 Subfolder.
-Wait for the  popup -Alert to restart your computer in 15 seconds.

On restart, navigate to System32 folder:
-Locate and select the "SQLIGCTLO.DLL" file (as it will be visible)
And use the folder's top menu>edit>
move to folder...
Select the C:\junkxxx as destination and move
the "SQLIGCTLO.DLL" there.
--------------------------------------------------------------

Run  the "RESTORE.bat", file , wait for
and post the 'log1.txt' file!


Edited canned speech :blush: :whistle:

Edited by jwbirdsong, 06 July 2004 - 08:45 PM.

Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

#10 triplem

triplem

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 06 July 2004 - 07:49 PM

I chose the option in your quote box, but the SQLIG.DLL file is not visible in system32

#11 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 06 July 2004 - 08:36 PM

Make sure you are set to show hidden files and folders:
Show Hidden Files and Folders

Sorry I used a canned fix and didn't change here is proper option 2

*Get ready to restart:
- DoubleClick on the "FIX.bat" file in the 'FINDnFIX'\Keys1 Subfolder.
-Wait for the  popup -Alert to restart your computer in 15 seconds.

On restart, navigate to System32 folder:
-Locate and select the "CTLO.DLL" file (as it will be visible)
And use the folder's top menu>edit>
move to folder...
Select the C:\junkxxx as destination and move
the "CTLO.DLL" there.
--------------------------------------------------------------

Run  the "RESTORE.bat", file , wait for
and post the 'log1.txt' file!


Edited by jwbirdsong, 06 July 2004 - 08:39 PM.

Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

#12 triplem

triplem

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 06 July 2004 - 09:01 PM

Show hidden files and folders is enabled. Ran above instructions, but ctlo.dll is not in system32. We already did this once. Ctlo.dll is in C:\junkxxx and is named ctlo.222. At this point, can I open MOVEit.bat in notepad, replace the text with the indicated text in your earlier post?
Thanks

#13 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 06 July 2004 - 09:04 PM

yes please
I didn't realise you had gotten that far because of mymis-labled instruction and you said
SQLIG.DLL wasn't found when I shoudl have had you looking for ctlo..Didn't realise you had proceeded..change Moveit and run Fix.bat then restore.bat on restart then post log1.txt

Edited by jwbirdsong, 06 July 2004 - 09:09 PM.

Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

#14 triplem

triplem

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 07 July 2004 - 11:05 AM

I was denied access to the site, after your last post last night. One hour drive to home, so I left.

Here is lastest FnF log.


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗*** freeatlast100.100free.com ***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

Tue 07/06/2004
9:17pm up 0 days, 0:04

Microsoft Windows 2000 [Version 5.00.2195]
╗╗╗IE build and last SP(s)
6.0.2800.1106 SP1-Q837009-Q832894
The type of the file system is NTFS.
C: is not dirty.

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG1!***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
Scanning for file(s) in System32...

╗╗╗╗╗╗╗ (1) ╗╗╗╗╗╗╗

╗╗╗╗╗╗╗ (2) ╗╗╗╗╗╗╗
**File C:\FINDnFIX\LIST.TXT

╗╗╗╗╗╗╗ (3) ╗╗╗╗╗╗╗

No matches found.

No matches found.

╗╗╗╗╗╗╗ (4) ╗╗╗╗╗╗╗
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


╗╗╗╗╗(5)╗╗╗╗╗
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

╗╗╗*╗╗╗ Scanning for moved file... ╗╗╗*╗╗╗
* result\\?\C:\JUNKXXX\CTLO.222


C:\JUNKXXX\
ctlo.222 Fri Jun 18 2004 7:47:14p A.... 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\JUNKXXX\CTLO.222

**File C:\JUNKXXX\CTLO.222
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....Ó.

A----- CTLO .222 0000E000 19:47.14 18/06/2004

move %WinDir%\System32\CTLO.DLL %SystemDrive%\junkxxx\CTLO.DLL



--a-- W32i - - - - 57,344 06-18-2004 ctlo.222
A C:\junkxxx\ctlo.222
File: <C:\junkxxx\ctlo.222>CRC-32 : D5C9FB2EMD5 : C185B36F 9969D3A6 D2122BA7 CBC02249
╗╗Permissions:
C:\junkxxx\ctlo.222 Everyone:(special access:) SYNCHRONIZE
FILE_EXECUTE

NT AUTHORITY\SYSTEM:F
BUILTIN\Administrators:F

Directory "C:\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000013 tco- 001F01FF ---- DSPO rw+x \Everyone
Allow 00000013 tco- 001F01FF ---- DSPO rw+x COMPAQDPMM\MICHAEL

Owner: BUILTIN\Administrators

Primary Group: DOMAIN\Domain Admins

Directory "C:\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone
Allow 00000003 tco- 001F01FF ---- DSPO rw+x COMPAQDPMM\MICHAEL

Owner: BUILTIN\Administrators

Primary Group: BUILTIN\Administrators

File "C:\junkxxx\ctlo.222"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 00100020 ---- ---- ---x \Everyone
Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Owner: BUILTIN\Administrators

Primary Group: DOMAIN\Domain Admins


╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

╗╗Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



╗╗Notepad check....

C:\WINDOWS\
notepad.exe Tue Jun 29 2004 6:33:32p A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K

C:\WINDOWS\SYSTEM32\
notepad.exe Tue Dec 7 1999 7:00:00a A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K

C:\WINDOWS\SYSTEM32\DLLCACHE\
notepad.exe Tue Dec 7 1999 7:00:00a A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K
--a-- W32i APP ENU 5.0.2140.1 shp 50,960 12-07-1999 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft® Windows ® 2000 Operating System
ProductVersion 5.00.2140.1
FileVersion 5.00.2140.1
LegalCopyright Copyright © Microsoft Corp. 1981-1999

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050000:085c0001 (5.0:2140.1)
ProdVer: 00050000:085c0001 (5.0:2140.1)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000

00001150: ?
00001190: X
000011D0: vk \ DeviceNotSelectedTimeout 1 5 `
00001210: 0 vk ' GDIProcessHandleQuota
00001250:eQuotask vk x Spooler y e s ,
00001290: vk , swapdisk vk Transmis
000012D0:sionRetryTimeout 9 0 ` vk ' " USERProc
00001310:essHandleQuota vk AppInit_DLLsouts
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- WIN.TXT
AppInit_DLLsc

---------- NEWWIN.TXT
AppInit_DLLsoutsŞ
--------------
yes
**File C:\FINDnFIX\NEWWIN.TXT
       
**File C:\FINDnFIX\NEWWIN.TXT
00001338: 01 00 00 00 01 00 02 00 . 5F 44 4C 4C 73 6F 75 74 ........ _DLLsout
**File C:\FINDnFIX\NEWWIN.TXT
        Ó   đ  X ? ░ ­  đ   vk     \ DeviceNotSelectedTimeoutÓ   1 5  `ň ░ň Ŕň 0 ╚   vk  Ç'   GDIProcessHandleQuota eQuotaskÓ   vk  x   Spooler Ŕ   y e s , » »Ó   vk  Ç   , swapdiskđ   vk  Ó   TransmissionRetryTimeout­   9 0  `Ŕ đ   vk  Ç'   " USERProcessHandleQuota ě   vk  Ç    AppInit_DLLsoutsŞ     

#15 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 07 July 2004 - 09:43 PM

what I need is a copy of log.1 from this operation (should have been last thing you did , yes?? )

-DoubleClick on the "RESTORE.bat" file.

It'll run and produce new log. (log1.txt) post it here!

please disregard and see next post.
Were getting there!

PS for what it's worth...everyone was denied access just after my last post; they turned the whole site off for an hour or two.

Edited by jwbirdsong, 08 July 2004 - 07:24 AM.

Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

#16 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 08 July 2004 - 07:11 AM

please disreguard last post; I worked 14 hr day and was to tired to do a log, I guess; all I saw was the HJT log...sorry.. Here is next step

Open the FINDnFIX\Files2< Subfolder:
Run the -> "ZIPZAP.bat" file.
It will quickly clean the rest and
will make a copy of the bad file(s) in the same
folder (junkxxx.zip)

When done, restart your computer and
Delete and entire 'FINDnFIX' file+folder(s)
From C:\, and be sure the C:\junkxxx folder
was deleted (as part of the cleanup process)


As for the remains, run any and all
removal tools once again as they should work properly now!
In particular,
CWShredder.exe and fully updated Ad-Aware!

AdAware download and SETTINGS:
Now download Ad-Aware at http://www.lavasoftu...pport/download/
After installing AAW, and before running the program, FIRST update the reference file following these instructions.
- On the main AdAware screen hit the Check for Updates, hit the 'Connect' key; it will then connect, check for then ask if you want to download latest Ref. files (if one is available), accept. Once downloaded hit "Finish" (Green Checkmark)

Now do the following:

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."

Press "Scan Now"

- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys. Click 'Next' again
Right-click in that pane and choose "select all"

If it finds "bad" files and registry keys, press "Next" again
It will ask you whether you'd like to remove all checked items. Click OK.

Finally, close Ad-Aware, and reboot.
Please post follow up hijackthis log when done!
Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

#17 triplem

triplem

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 08 July 2004 - 01:23 PM

Followed above instructions. Here is latest Hijackthis log.

Logfile of HijackThis v1.98.0
Scan saved at 1:19:36 PM, on 7/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NORTON~1\NORTON~4\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~4\npssvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\mqsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~4\alertsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus NT\NAVAPW32.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\HIJACKTHIS1.98\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\NORTON~1\NORTON~4\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\NORTON~4\defalert.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton SystemWorks\Norton Antivirus NT\NAVAPW32.EXE
O4 - Global Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O16 - DPF: symsupportutil - https://www-secure.s...supportutil.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse....eX/FileXfer.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A8C572A-1294-4B38-934A-A2E6C204740E}: NameServer = 207.191.50.10,207.191.1.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{4A8C572A-1294-4B38-934A-A2E6C204740E}: NameServer = 207.191.50.10,207.191.1.10
O17 - HKLM\System\CS2\Services\Tcpip\..\{4A8C572A-1294-4B38-934A-A2E6C204740E}: NameServer = 207.191.50.10,207.191.1.10
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - (no file)

#18 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 08 July 2004 - 09:54 PM

Real sorry about the long delays in answering your las two or three post, started working crazy hour the day I started you log..Oh well I guess all left to say to......
Congratulations, your log is clean.

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

More info and download is available at link in my signature

And also see TonyKlein's good advice in
So how did I get infected in the first place?

Edited by jwbirdsong, 08 July 2004 - 10:01 PM.

Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

#19 triplem

triplem

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 09 July 2004 - 09:19 AM

Thanks for all your help. I already have downloaded some of the programs you suggest. Thanks again.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button