Jump to content


Photo

CWS.Searchx


  • This topic is locked This topic is locked
13 replies to this topic

#1 EL_BASTARDO

EL_BASTARDO

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 02 July 2004 - 04:04 PM

Any assistance you guys could offer would be v much appreciated. I've had this for over a week now & it's getting really annoying

Ive run CWshredder lots of times - (result was that i had CWSearchx),I fixed this via CWShredder, removed the the microsoft JVM from my system & installed the sun one instead.
I have Spywareguard installed & have posted the messages below......(i have searched for the particular CLSIDs on google but to no avail)

I have also gone through all the results from hyjackthis myself & identified 2 bad ones which i have removed
( I used this tutorial that was posted in one of th threads here) http://hometown.aol....al/tutorial.htm

I have just run the latest version of adaware (71 recognised items!!), I got adaware to fix them
& then CWShredder straight after (CWS said system was totally clean this time)

I have thought I'd got rid of the probs before only to have it return the next day :(

This is typical of the first message from spywareguard
Posted Image
I press the button to remove it....
Posted Image
then, the following are the other messages i get one after another...
Posted Image
Posted Image
Posted Image
Posted Image
Posted Image

Ive added the following 2 screenshots to show that the BHO has a different number each time (oh, & also seems to locate itseslf in a different .dll file after each bootup)
Posted Image

Posted Image

hyjackthis log in next post....

Edited by EL_BASTARDO, 02 July 2004 - 04:08 PM.


#2 EL_BASTARDO

EL_BASTARDO

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 02 July 2004 - 04:08 PM

Logfile of HijackThis v1.97.7
Scan saved at 21:41:23, on 02/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\r_server.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Trust\250S Series\lwbwheel.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
C:\Documents and Settings\Ian\Desktop\Spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.lycos.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Cheers
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Trust\250S Series\lwbwheel.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#3 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 02 July 2004 - 04:28 PM

Download and install : "FINDnFIX.exe" from any of
the links in my signature.

Run the "!LOG!.bat" file, wait for the final output (log.txt)
post the results....
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#4 EL_BASTARDO

EL_BASTARDO

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 02 July 2004 - 04:33 PM

Thanks for the fast response..
As i posted this thread I saw the other thread of same title so i have already started following the same steps

firstly ive got the registrarlite result (if any use to you):-
C:\WINDOWS\System32\winh.dll

the "!LOG!.bat" txt file is as follows


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗*** freeatlast100.100free.com ***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

Microsoft Windows XP [Version 5.1.2600]
╗╗╗IE build and last SP(s)
6.0.2800.1106 SP1-Q818529-Q330994-Q822925-Q824145-Q832894-Q837009-Q831167
The type of the file system is NTFS.
C: is not dirty.

02/07/2004
10:21pm up 0 days, 5:07

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG!***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

Scanning for file(s)...
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗╗╗╗ (*1*) ╗╗╗╗╗ .........
╗╗Locked or 'Suspect' file(s) found...

C:\WINDOWS\System32\WINH.DLL +++ File read error
\\?\C:\WINDOWS\System32\WINH.DLL +++ File read error

╗╗╗╗╗ (*2*) ╗╗╗╗╗........
**File C:\FINDnFIX\LIST.TXT
WINH.DLL Can't Open!

╗╗╗╗╗ (*3*) ╗╗╗╗╗........

C:\WINDOWS\SYSTEM32\
winh.dll Wed 23 Jun 2004 1:24:12 A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

C:\WINDOWS\SYSTEM32\
nrad.dll Sat 15 May 2004 8:37:30 A.S.. 139,264 136.00 K
oem.dll Thu 25 Mar 2004 18:05:30 A.S.. 53,248 52.00 K
rad.dll Sat 15 May 2004 9:09:16 A.S.. 335,872 328.00 K
radclkr.dll Sat 15 May 2004 9:13:40 A.S.. 348,160 340.00 K
radenu.dll Sat 15 May 2004 8:18:48 A.S.. 61,440 60.00 K
radesp.dll Sat 15 May 2004 8:32:20 A.S.. 61,440 60.00 K
radexe.dll Sat 15 May 2004 9:08:58 A.S.. 151,552 148.00 K
radfra.dll Sat 15 May 2004 8:33:04 A.S.. 65,536 64.00 K
radhun.dll Sat 15 May 2004 8:33:44 A.S.. 61,440 60.00 K
radita.dll Sat 15 May 2004 8:34:24 A.S.. 61,440 60.00 K
radnlb.dll Sat 15 May 2004 8:35:02 A.S.. 61,440 60.00 K
radplk.dll Sat 15 May 2004 8:35:50 A.S.. 65,536 64.00 K
radtype.dll Sat 1 May 2004 10:05:48 A.S.. 147,525 144.07 K

13 items found: 13 files, 0 directories.
Total of file sizes: 1,613,893 bytes 1.54 M

╗╗╗╗╗ (*4*) ╗╗╗╗╗.........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\NRAD.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\OEM.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\RAD.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\RADCLKR.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\RADENU.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\RADESP.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\RADEXE.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\RADFRA.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\RADHUN.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\RADITA.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\RADNLB.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\RADPLK.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\RADTYPE.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\WINH.DLL
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗

╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

╗╗Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


╗╗Member of...: (Admin logon required!)
User is a member of group IAN-J\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

╗╗ Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


╗╗Notepad check....

C:\WINDOWS\
notepad.exe Wed 23 Jun 2004 1:24:04 A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

No matches found.

C:\WINDOWS\SYSTEM32\DLLCACHE\
notepad.exe Wed 23 Jun 2004 1:24:04 A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 06-23-2004 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft« Windows« Operating System
ProductVersion 5.1.2600.0
FileVersion 5.1.2600.0 (xpclient.010817-1148)
LegalCopyright ę Microsoft Corporation. All rights reserved.

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050001:0a280000 (5.1:2600.0)
ProdVer: 00050001:0a280000 (5.1:2600.0)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000

╗╗Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x IAN-J\Ian
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: IAN-J\Ian

Primary Group: IAN-J\None



╗╗╗╗╗╗Backups created...╗╗╗╗╗╗
10:21pm up 0 days, 5:08
02/07/2004

A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 07-02-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 07-02-2004 winkey.reg

╗╗Performing 16bit string scan....
00001150: vk UDeviceNotSelecte
00001190:dTimeout 1 5 P h vk ' zGDIProce
000011D0:ssHandleQuota" 9 0 vk Spooler2
00001210: y e s _ vk 5swapdisk h
00001250: X vk . TransmissionRetryTimeout vk
00001290: ' 0 USERProcessHandleQuota0 h X
000012D0: vk : AppInit_DLLs ) C : \ W I N
00001310:D O W S \ S y s t e m 3 2 \ w i n h . d l l
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- WIN.TXT
AppInit_DLLsÇ)Ý
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

Windows
UDeviceNotSelectedTimeout
zGDIProcessHandleQuota"
Spooler2
5swapdisk
TransmissionRetryTimeout
USERProcessHandleQuota0
AppInit

**File C:\FINDnFIX\WIN.TXT
Đ_ňÓ   vk  Ç   5swapdisk h ░ ­  X đ   vk  Ó   . TransmissionRetryTimeoutđ   vk  Ç'   0 USERProcessHandleQuota0 Ó   h ░ ­  X ł ě ě   vk :    AppInit_DLLsÇ)Ý └   C : \ W I N D O W S \ S y s t e m 3 2 \ w i n h . d l l └


#5 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 02 July 2004 - 04:40 PM

Well done! ;)

*Get ready to restart your computer:
- Open the C:\FINDnFIX\Keys1\ Subfolder
-DoubleClick on the "FIX.bat" file
-You will be prompted by popup Alert to restart in 15 seconds.
-Allow it to restart the computer!
-------------------------------------------------------------------------
On restart, navigate to System32 folder:
-Locate and select this file:
-WINH.DLL
(As it will be visible)
And use the folder's top menu>edit>
move to folder...
Select the C:\junkxxx as destination and move
"WINH.DLL" to the C:\junkxxx folder
-----------------------------------------------------------------------
Go back to C:\FINDnFIX\ main folder and
DoubleClick on the "RESTORE.bat" .file
It'll run and produce new log (log1.txt)
Post it!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#6 EL_BASTARDO

EL_BASTARDO

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 02 July 2004 - 04:50 PM

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗*** freeatlast100.100free.com ***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

02/07/2004
10:48pm up 0 days, 0:04

Microsoft Windows XP [Version 5.1.2600]
╗╗╗IE build and last SP(s)
6.0.2800.1106 SP1-Q818529-Q330994-Q822925-Q824145-Q832894-Q837009-Q831167
The type of the file system is NTFS.
C: is not dirty.

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG1!***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
Scanning for file(s) in System32...

╗╗╗╗╗╗╗ (1) ╗╗╗╗╗╗╗

╗╗╗╗╗╗╗ (2) ╗╗╗╗╗╗╗
**File C:\FINDnFIX\LIST.TXT

╗╗╗╗╗╗╗ (3) ╗╗╗╗╗╗╗

No matches found.

C:\WINDOWS\SYSTEM32\
nrad.dll Sat 15 May 2004 8:37:30 A.S.. 139,264 136.00 K
oem.dll Thu 25 Mar 2004 18:05:30 A.S.. 53,248 52.00 K
rad.dll Sat 15 May 2004 9:09:16 A.S.. 335,872 328.00 K
radclkr.dll Sat 15 May 2004 9:13:40 A.S.. 348,160 340.00 K
radenu.dll Sat 15 May 2004 8:18:48 A.S.. 61,440 60.00 K
radesp.dll Sat 15 May 2004 8:32:20 A.S.. 61,440 60.00 K
radexe.dll Sat 15 May 2004 9:08:58 A.S.. 151,552 148.00 K
radfra.dll Sat 15 May 2004 8:33:04 A.S.. 65,536 64.00 K
radhun.dll Sat 15 May 2004 8:33:44 A.S.. 61,440 60.00 K
radita.dll Sat 15 May 2004 8:34:24 A.S.. 61,440 60.00 K
radnlb.dll Sat 15 May 2004 8:35:02 A.S.. 61,440 60.00 K
radplk.dll Sat 15 May 2004 8:35:50 A.S.. 65,536 64.00 K
radtype.dll Sat 1 May 2004 10:05:48 A.S.. 147,525 144.07 K

13 items found: 13 files, 0 directories.
Total of file sizes: 1,613,893 bytes 1.54 M

╗╗╗╗╗╗╗ (4) ╗╗╗╗╗╗╗
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\NRAD.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\OEM.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\RAD.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\RADCLKR.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\RADENU.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\RADESP.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\RADEXE.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\RADFRA.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\RADHUN.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\RADITA.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\RADNLB.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\RADPLK.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\RADTYPE.DLL

╗╗╗*╗╗╗ Scanning for moved file... ╗╗╗*╗╗╗
* result\\?\C:\junkxxx\WINH.222


C:\JUNKXXX\
winh.222 Wed 23 Jun 2004 1:24:12 A.... 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\JUNKXXX\WINH.222

**File C:\JUNKXXX\WINH.222
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....Ó.

A----- WINH .222 0000E000 01:24.12 23/06/2004

rem replace this entire line with your given command.,..




--a-- W32i - - - - 57,344 06-23-2004 winh.222
A C:\junkxxx\winh.222
File: <C:\junkxxx\winh.222>

CRC-32 : D5C9FB2E

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249




╗╗Permissions:
C:\junkxxx\winh.222 BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
IAN-J\Ian:F
BUILTIN\Users:R

Directory "C:\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x IAN-J\Ian
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: IAN-J\Ian

Primary Group: IAN-J\None

Directory "C:\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users
Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

Owner: BUILTIN\Administrators

Primary Group: NT AUTHORITY\SYSTEM

File "C:\junkxxx\winh.222"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x IAN-J\Ian
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Owner: IAN-J\Ian

Primary Group: IAN-J\None


╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

╗╗Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



╗╗Notepad check....

C:\WINDOWS\
notepad.exe Wed 23 Jun 2004 1:24:04 A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

No matches found.

C:\WINDOWS\SYSTEM32\DLLCACHE\
notepad.exe Wed 23 Jun 2004 1:24:04 A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 06-23-2004 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft« Windows« Operating System
ProductVersion 5.1.2600.0
FileVersion 5.1.2600.0 (xpclient.010817-1148)
LegalCopyright ę Microsoft Corporation. All rights reserved.

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050001:0a280000 (5.1:2600.0)
ProdVer: 00050001:0a280000 (5.1:2600.0)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000

00001150: vk UDeviceNotSelecte
00001190:dTimeout 1 5 P h vk ' zGDIProce
000011D0:ssHandleQuota" 9 0 vk Spooler2
00001210: y e s _ vk 5swapdisk h
00001250: X vk . TransmissionRetryTimeout vk
00001290: ' 0 USERProcessHandleQuota0 h X
000012D0: vk A AppInit_DLLsa s |
00001310:
00001350:
00001390:
000013D0:
00001410:
00001450: $ ( , 0 4 8 < @
00001490: D H L P T X \ `
000014D0: d h l p t x |
00001510:
00001550:

---------- WIN.TXT
AppInit_DLLsÇ)Ý

---------- NEWWIN.TXT
AppInit_DLLsa
**File C:\FINDnFIX\NEWWIN.TXT
**File C:\FINDnFIX\NEWWIN.TXT
000012F0: 01 00 00 00 01 00 41 00 . 5F 44 4C 4C 73 61 00 73 ......A. _DLLsa.s
**File C:\FINDnFIX\NEWWIN.TXT
Đ_ňÓ   vk  Ç   5swapdisk h ░ ­  X đ   vk  Ó   . TransmissionRetryTimeoutđ   vk  Ç'   0 USERProcessHandleQuota0 Ó   h ░ ­  X ł ě ě   vk  Ç   A AppInit_DLLsa s

#7 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 02 July 2004 - 05:00 PM

Great progress! :thumbsup:

Last step(s):


-Open the FINDnFIX\Files2< Subfolder:
Run the -> "ZIPZAP.bat" file.
It will quickly clean the rest and
will make a copy of the bad file(s) in the same
folder (junkxxx.zip) and open your email client with instructions:
Simply drag and drop the 'junkxxx.zip' file from
the folder into the mail message and submit
to the specified addresses! Thanks!

When done, restart your computer and
Delete and entire 'FINDnFIX' file+folder(s)
From C:\, and be sure the C:\junkxxx folder
was deleted (as part of the cleanup process)


As for the remains, run any and all
removal tools once again as they should work properly now!
In particular,
CWShredder.exe and fully updated Ad-Aware!

Feel free to post follow up hijackthis log when done! ;)
==================================================

Notes***
1.)
Based on your scan results you don't seem to have a copy of notepad.exe in system32 folder.
cws is known to hijack it.
If your notepad in Windows folder is functionning ok, copy it to your system32 folder.
2.)
Non related to the problem, but...

unknown/hidden files...

C:\WINDOWS\SYSTEM32\
nrad.dll Sat 15 May 2004 8:37:30 A.S.. 139,264 136.00 K
oem.dll Thu 25 Mar 2004 18:05:30 A.S.. 53,248 52.00 K
rad.dll Sat 15 May 2004 9:09:16 A.S.. 335,872 328.00 K
radclkr.dll Sat 15 May 2004 9:13:40 A.S.. 348,160 340.00 K
radenu.dll Sat 15 May 2004 8:18:48 A.S.. 61,440 60.00 K
radesp.dll Sat 15 May 2004 8:32:20 A.S.. 61,440 60.00 K
radexe.dll Sat 15 May 2004 9:08:58 A.S.. 151,552 148.00 K
radfra.dll Sat 15 May 2004 8:33:04 A.S.. 65,536 64.00 K
radhun.dll Sat 15 May 2004 8:33:44 A.S.. 61,440 60.00 K
radita.dll Sat 15 May 2004 8:34:24 A.S.. 61,440 60.00 K
radnlb.dll Sat 15 May 2004 8:35:02 A.S.. 61,440 60.00 K
radplk.dll Sat 15 May 2004 8:35:50 A.S.. 65,536 64.00 K
radtype.dll Sat 1 May 2004 10:05:48 A.S.. 147,525 144.07 K

This set of files is a bit concerning.
None is part of windows, and all have system attributes.
Unless you know what these are and if possibly belong to something you have installed or used, locate the files and try to inspect their version info, company etc from their properties.
And/or unpload them here for evaluation:
http://www.kaspersky.com/scanforvirus
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#8 EL_BASTARDO

EL_BASTARDO

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 02 July 2004 - 05:07 PM

just a quick reply......
damn popup warning from spywareguard just appeared as i ran zipzap :(:( i hope this isn't anything to get alarmed about at this stage lol

& looking at those files I think they may refer to radlink overclocking tool judging by the name of this one
radclkr.dll Sat 15 May 2004 9:13:40 A.S.. 348,160 340.00 K

#9 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 02 July 2004 - 05:15 PM

The ZipZap includes a little uninstaller for the bho.

Please disable all your filters and allow it to run.
These filters can't help the problem but they insist on alerting you when you try to fix the problem... :scratchhead:

When done with all the above, reset IE options to
defaults and post hijackthis log! :D

As for the system files, if you know what they belong to there is no reason for concern.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#10 EL_BASTARDO

EL_BASTARDO

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 02 July 2004 - 05:29 PM

Please disable all your filters and allow it to run.
These filters can't help the problem but they insist on alerting you when you try to fix the problem... :scratchhead: ...........

I hit the "remove BHO" button on spywareguard :huh: hope this will not cause probs as i have deleted the FINDnFIX folder now too lol (sorry, did this b4 u posted again)
I'll run adaware & CWShredder, reset the IE settings, post the hyjackthis log & check those system files out....

Oh, & yeah, i had noticed notepad had gone from its usual place but have been using it from WINDOWS folder so I'll copy it across :)

#11 EL_BASTARDO

EL_BASTARDO

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 02 July 2004 - 05:49 PM

right ran adaware & here's the last few items of the log
CoolWebSearch Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
Value : ITBarLayout


Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New objects : 1
Objects found so far: 4


23:40:53 Scan complete

Summary of this scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time :00:10:59:188
Objects scanned :147853
Objects identified :4
Objects ignored :0
New objects :4

I deleted these through adaware, then ran CWShredder, which came up clean.

here's the hyjackthis log after:-

Logfile of HijackThis v1.97.7
Scan saved at 23:43:44, on 02/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\r_server.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Trust\250S Series\lwbwheel.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Ian\Desktop\Spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.lycos.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Cheers
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Trust\250S Series\lwbwheel.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#12 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 02 July 2004 - 05:54 PM

All's well! :thumbsup:

Be sure to keep it that way! ;)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#13 EL_BASTARDO

EL_BASTARDO

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 02 July 2004 - 06:10 PM

excellent :D

A VERY BIG THANKS TO YOU, freeatlast

top marks, appreciate the assistance tonight m8, :keybrd:
Cheers to the guys running the spywareinfo site and keep up the good work :thumbsup:

#14 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 03 July 2004 - 05:30 PM

Glad we could help :D


As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button