• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Guest MGMims

Browser Hijacker keeps coming back

28 posts in this topic

I get "res://qyoyx.dll/index.html#12802" as my home page as well as popups even though I've made several attempts to get rid of it. I also occasionally get additional IE window with "http://www.lookfor.cc/index.php?pin=12802" address.

 

I've read FAQ for this forum and completed described actions. I've updated and ran Ad-aware which yields 3 objects that I check for delete and delete. I've updated and ran Spybot S&D and get DSO Exploit which I check and fix. This works, but once I close and re-open IE it re-appears.

 

Here is my HijackThis Log:

 

Logfile of HijackThis v1.97.7

Scan saved at 10:57:05 AM, on 7/26/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\ePOAgent\naimas32.exe

C:\Program Files\Symantec\Ghost\ngctw32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program Files\ORL\VNC\WinVNC.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe

C:\WINNT\netfu.exe

C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe

C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE

C:\ePOAgent\naimag32.exe

C:\MSSQL7\Binn\sqlmangr.exe

C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE

C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe

C:\WINNT\appxq.exe

C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINNT\System32\MDM.EXE

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\qyoyx.dll/sp.html#12802

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qyoyx.dll/index.html#12802

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qyoyx.dll/index.html#12802

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\qyoyx.dll/sp.html#12802

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qyoyx.dll/index.html#12802

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\qyoyx.dll/sp.html#12802

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by UHCL 03312003

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {A5515E36-86C8-7AD1-7FBB-6F21EB78A4CD} - C:\WINNT\apivn32.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe

O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [sMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE

O4 - HKLM\..\Run: [NaimAgent_UI] C:\ePOAgent\naimag32.exe

O4 - HKLM\..\Run: [appxq.exe] C:\WINNT\appxq.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - Startup: Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE

O4 - Startup: Windows Explorer.lnk = C:\WINNT\explorer.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Service Manager.LNK = C:\MSSQL7\Binn\sqlmangr.exe

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://WWW.CL.UH.EDU

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D321E8DB-3B9F-49A4-A9F3-B97297282003}: NameServer = 129.7.169.31 129.7.169.32

 

HELP!!!

Share this post


Link to post
Share on other sites

  1. Please download About:Buster from:

[*]Unzip it to your desktop.

[*]Double click it and hit "Ok"

[*]Click "Start"

[*]Select "Ok" to start the scan.

[*]The scan should take a few seconds.

[*]Once it is done save the report.

[*]Post the results of the report and a fresh HijackThis log for review.

Share this post


Link to post
Share on other sites

-- Scan 1 --------

About:Buster Version 1.32

Removed! : C:\WINNT\ocqia.dat

Removed! : C:\WINNT\oemgv.dat

Removed! : C:\WINNT\oemgvs.dat

Removed! : C:\WINNT\qyoyx.dll

Removed! : C:\WINNT\svhvq.dat

Removed! : C:\WINNT\system32\javazx32.exe

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

-- Scan 2 --------

About:Buster Version 1.32

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

Logfile of HijackThis v1.97.7

Scan saved at 7:41:46 PM, on 7/27/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\ePOAgent\naimas32.exe

C:\Program Files\Symantec\Ghost\ngctw32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program Files\ORL\VNC\WinVNC.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe

C:\WINNT\netfu.exe

C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe

C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE

C:\ePOAgent\naimag32.exe

C:\MSSQL7\Binn\sqlmangr.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINNT\System32\MDM.EXE

C:\HJT\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by UHCL 03312003

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {A5515E36-86C8-7AD1-7FBB-6F21EB78A4CD} - C:\WINNT\apivn32.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe

O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [sMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE

O4 - HKLM\..\Run: [NaimAgent_UI] C:\ePOAgent\naimag32.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT

O4 - Startup: Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE

O4 - Startup: Windows Explorer.lnk = C:\WINNT\explorer.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Service Manager.LNK = C:\MSSQL7\Binn\sqlmangr.exe

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://WWW.CL.UH.EDU

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D321E8DB-3B9F-49A4-A9F3-B97297282003}: NameServer = 129.7.169.31 129.7.169.32

Share this post


Link to post
Share on other sites

One more time but in safe mode ...

  1. Please download About:Buster from any of the following locations:

[*]Boot into safe mode. How do I boot into "Safe" mode?

[*]Unzip the downloaded about:buster program to your desktop.

[*]Double click it and hit "Ok".

[*]Click "Start".

[*]Select "Ok" to start the scan.

[*]The scan should take a few seconds.

[*]Once it is done save the report.

[*]Reboot and sign in as you normally do and repeat the procedure for running about:buster.

[*]Post the results of the report and a fresh HijackThis log for review.

Share this post


Link to post
Share on other sites

Booted in Safe Mode then ran AboutBuster:

-- Scan 1 --------

About:Buster Version 1.32

Removed! : C:\WINNT\ocqia.dat

Removed! : C:\WINNT\oemgvs.dat

Removed! : C:\WINNT\qyoyx.dll

Removed! : C:\WINNT\system32\winao.exe

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

-- Scan 2 --------

About:Buster Version 1.32

Attempted Clean Of Temp folder.

Pages Reset... Done!

 

Rebooted normal then ran AboutBuster again:

-- Scan 1 --------

About:Buster Version 1.32

Removed! : C:\WINNT\atlyy.exe

Removed! : C:\WINNT\ocqia.dat

Removed! : C:\WINNT\oemgv.dat

Removed! : C:\WINNT\oemgvs.dat

Removed! : C:\WINNT\qyoyx.dll

Removed! : C:\WINNT\svhvq.dat

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

-- Scan 2 --------

About:Buster Version 1.32

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

Ran Hijack This:

Logfile of HijackThis v1.97.7

Scan saved at 9:34:26 PM, on 7/27/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\ePOAgent\naimas32.exe

C:\Program Files\Symantec\Ghost\ngctw32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program Files\ORL\VNC\WinVNC.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe

C:\WINNT\netfu.exe

C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe

C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE

C:\ePOAgent\naimag32.exe

C:\MSSQL7\Binn\sqlmangr.exe

C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE

C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE

\b3308-32832\ldlogon\hatscanner.exe

C:\HJT\AboutBuster.exe

C:\WINNT\system32\winpt.exe

C:\Program Files\Windows NT\Accessories\WORDPAD.EXE

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\qyoyx.dll/sp.html#12802

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qyoyx.dll/index.html#12802

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qyoyx.dll/index.html#12802

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\qyoyx.dll/sp.html#12802

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qyoyx.dll/index.html#12802

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\qyoyx.dll/sp.html#12802

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by UHCL 03312003

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {A5515E36-86C8-7AD1-7FBB-6F21EB78A4CD} - C:\WINNT\apivn32.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe

O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [sMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE

O4 - HKLM\..\Run: [NaimAgent_UI] C:\ePOAgent\naimag32.exe

O4 - HKLM\..\Run: [winpt.exe] C:\WINNT\system32\winpt.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT

O4 - Startup: Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE

O4 - Startup: Windows Explorer.lnk = C:\WINNT\explorer.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Service Manager.LNK = C:\MSSQL7\Binn\sqlmangr.exe

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://WWW.CL.UH.EDU

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D321E8DB-3B9F-49A4-A9F3-B97297282003}: NameServer = 129.7.169.31 129.7.169.32

Share this post


Link to post
Share on other sites

This infection is not going away - Let's go back to the old manual method....

  1. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders".
  2. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for "netfu.exe. If you find the file, click on it, and then click End Process => Exit the Task Manager.
  3. Next, go to Start->Run and type "Services.msc" (without quotes) then hit OK.
  4. Scroll down and find the service called "Network Security Service".
  5. When you find it, double-click on it. In the next window that opens, click the Stop button, then change the Startup Type to Disabled. Now hit Apply and then OK and close any open windows.
  6. Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\qyoyx.dll/sp.html#12802
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qyoyx.dll/index.html#12802
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qyoyx.dll/index.html#12802
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\qyoyx.dll/sp.html#12802
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qyoyx.dll/index.html#12802
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\qyoyx.dll/sp.html#12802
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
    O2 - BHO: (no name) - {A5515E36-86C8-7AD1-7FBB-6F21EB78A4CD} - C:\WINNT\apivn32.dll
    O14 - IERESET.INF: START_PAGE_URL=http://WWW.CL.UH.EDU
  7. Reboot into Safe Mode - How do I boot into "Safe" mode?, and delete the following files:
  8. Go to Start => Run and type in "regedit" (without quotes) and press "Enter".
  9. One the registry opens, Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3
    If __NS_Service_3 exists , right click on it and choose delete from the menu.
  10. Still in the registry, navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3
    If LEGACY___NS_Service_3 exists then right click on it and choose delete from the menu.
  11. Exit regedit and reboot in Normal Mode.
  12. Two files (Possibly three) were also deleted from your computer and need to be replaced.
    • control.exe - Go to Merijn Files (control) and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.
    • Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program.
    • If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

[*]Run HiJackThis again and post a new log in this thread.

Share this post


Link to post
Share on other sites

When I select netfu.exe in Task Manager and click End Process, I get this error: "Unable to Terminate Process The operation could not be completed. Access is denied." Should I continue with the other steps?

Share this post


Link to post
Share on other sites

It appears to be fixed!!!

Logfile of HijackThis v1.97.7

Scan saved at 10:26:44 AM, on 7/29/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\ePOAgent\naimas32.exe

C:\Program Files\Symantec\Ghost\ngctw32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program Files\ORL\VNC\WinVNC.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe

C:\WINNT\netfu.exe

C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe

C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE

C:\ePOAgent\naimag32.exe

C:\WINNT\system32\winpt.exe

C:\MSSQL7\Binn\sqlmangr.exe

C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINNT\System32\MDM.EXE

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uhcl.edu/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by UHCL 03312003

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {3C152B1B-233A-35E8-801F-50DBEE75F199} - C:\WINNT\system32\javadx.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe

O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [sMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE

O4 - HKLM\..\Run: [NaimAgent_UI] C:\ePOAgent\naimag32.exe

O4 - HKLM\..\Run: [winpt.exe] C:\WINNT\system32\winpt.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT

O4 - Startup: Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE

O4 - Startup: Windows Explorer.lnk = C:\WINNT\explorer.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Service Manager.LNK = C:\MSSQL7\Binn\sqlmangr.exe

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D321E8DB-3B9F-49A4-A9F3-B97297282003}: NameServer = 129.7.169.31 129.7.169.32

Share this post


Link to post
Share on other sites

On more entry to delete in HijackThis:

O4 - HKLM\..\Run: [winpt.exe] C:\WINNT\system32\winpt.exe

 

Then delete the file: C:\WINNT\system32\winpt.exe

 

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

  1. Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  2. Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  3. IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  4. MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  5. Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  6. Run Ad-Aware with the latest update.
    • Download the latest version of Ad-Aware from here.
    • After installing Ad-aware, and before running the program, Please be sure to update the reference file as per these instructions.
    • Reconfigure Ad-Aware for Full Scan as per the following instructions:
      • Launch the program, and click on the Gear at the top of the start screen.
      • Click the "Scanning" button (On the left side).
      • Under Drives & Folders, select "Scan within Archives" (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
      • Click "Click here to select Drives + folders" and select your installed hard drives.
      • Under Memory & Registry, select all options.
      • Click the "Advanced" button (On the left hand side).
      • Under "Log-file detail", select all options.
      • Click the "Tweak" button (Again, on the left hand side).
      • Expand "Scanning Engine" by clicking on the "+" (Plus) symbol) and select the following:
        • "Include additional Ad-aware settings in logfile"
        • "Unload recognized processes during scanning."

[*]Under "Cleaning Engine", select the following:

  • "Automatically try to unregister objects prior to deletion."
  • "Let Windows remove files in use after reboot."

[*]Click on "Proceed" to save these Preferences.

[*]Click on the "Scan Now" button on the left.

[*]Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".

[*]Select "Activate in-Depth scan".

[*]Close all programs except ad-aware.

[*]Click on "Next" in the bottom right corner to start the scan.

[*]Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.

[*]After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

[*]Download the latest version of Spybot from either:

  • Install spybot and by default is should install into C:\Program Files\Spybot - Search & Destroy.
  • Run Spybot by clicking on "Start" => "Programs" => "Spybot - Search & Destroy" => "Spybot - Search & Destroy".
  • The first time you run it, allow it to create a backup of your registry when prompted. This will take a few minutes to complete.
  • Click on "Search for Updates".
  • If any updates are found, place a check mark next to each and click on "Download Updates".
  • Click on "Immunize" and once it detect what has or has not been blocked, block all remaining items by clicking on the green plus sign next to immunize at the top.
  • Click on "Search & Destroy" => "Check for Problems".
  • If any problems are found, be sure to click on "Fix Selected Problems".

Share this post


Link to post
Share on other sites

I must be doing something wrong. I deleted that entry in HJT. If I rescan, with HJT window still open, that entry is no longer there, if I close the window then reopen HJT then scan, that entry is still there. I looked for winpt.exe in C:\WINNT\system32\ but its not there, I searched in the c:\winnt directory for a file by this name but couldn't find it.

 

I've already installed SpywareBlaster on my system and I will follow thru with the rest of your suggestions. Thank you for all your help!!!

 

In the meantime here is the latest HJT log (after deleting the winpt entry and rescanning):

Logfile of HijackThis v1.97.7

Scan saved at 4:08:16 PM, on 7/29/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\ePOAgent\naimas32.exe

C:\Program Files\Symantec\Ghost\ngctw32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program Files\ORL\VNC\WinVNC.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe

C:\WINNT\netfu.exe

C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe

C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE

C:\ePOAgent\naimag32.exe

C:\WINNT\system32\winpt.exe

C:\MSSQL7\Binn\sqlmangr.exe

C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\WINNT\System32\MDM.EXE

C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE

C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uhcl.edu/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by UHCL 03312003

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {3C152B1B-233A-35E8-801F-50DBEE75F199} - C:\WINNT\system32\javadx.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe

O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [sMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE

O4 - HKLM\..\Run: [NaimAgent_UI] C:\ePOAgent\naimag32.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - Startup: Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE

O4 - Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe

O4 - Startup: Windows Explorer.lnk = C:\WINNT\explorer.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Service Manager.LNK = C:\MSSQL7\Binn\sqlmangr.exe

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8197.3618865741

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D321E8DB-3B9F-49A4-A9F3-B97297282003}: NameServer = 129.7.169.31 129.7.169.32

Share this post


Link to post
Share on other sites

I also have just noticed that when I perform a search, a new browser window opens with search-to-find.com web site with suggestions on the topic I am searching.

Share this post


Link to post
Share on other sites

Please open notepad, copy the contents of the quote box into notepad and save it as iefix.reg. Double click on the iefix.reg file and when prompted, just respond "Yes". This will reset all your IE settings back to their defaults.

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]

"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"

"CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"

"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]

"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]

"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

"Search Bar"="Search Bar"="http://search.msn.com/intl/searchpane/en-au/prov2.htm"

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]

""="http://home.microsoft.com/access/autosearch.asp?p=%s"

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]

"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

"Search Bar"="http://search.msn.com/spbasic.htm"

"Use Custom Search URL"= dword:00000000

 

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

 

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]

@="http://"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]

"ftp"="ftp://"

"gopher"="gopher://"

"home"="http://"

"mosaic"="http://"

"www"="http://"

This will reset the IE search Pages etc back to Microsoft defaults - You can change your home page etc afterwards. Post another log and any additional info when this is done.

Share this post


Link to post
Share on other sites

Here is new HJT log, still can't get rid of winpt.exe:

 

Logfile of HijackThis v1.97.7

Scan saved at 8:18:41 PM, on 7/29/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\ePOAgent\naimas32.exe

C:\Program Files\Symantec\Ghost\ngctw32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program Files\ORL\VNC\WinVNC.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe

C:\WINNT\netfu.exe

C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe

C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE

C:\ePOAgent\naimag32.exe

C:\WINNT\system32\winpt.exe

C:\MSSQL7\Binn\sqlmangr.exe

C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINNT\System32\MDM.EXE

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uhcl.edu/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by UHCL 03312003

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {3C152B1B-233A-35E8-801F-50DBEE75F199} - C:\WINNT\system32\javadx.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe

O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [sMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE

O4 - HKLM\..\Run: [NaimAgent_UI] C:\ePOAgent\naimag32.exe

O4 - HKLM\..\Run: [winpt.exe] C:\WINNT\system32\winpt.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - Startup: Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE

O4 - Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Startup: Windows Explorer.lnk = C:\WINNT\explorer.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Service Manager.LNK = C:\MSSQL7\Binn\sqlmangr.exe

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8197.3618865741

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D321E8DB-3B9F-49A4-A9F3-B97297282003}: NameServer = 129.7.169.31 129.7.169.32

Share this post


Link to post
Share on other sites

Did you follow the instructions about ad-aware, spybot, spywareblaster etc? I see no sign of them in your logs which indicates that you have NOT completed all steps. I cannot help you fix the problem if you do not follow the recommendations given ??

Share this post


Link to post
Share on other sites

I have already installed and ran SpywareBlaster, SpywareGuard, Adaware and Spybot S&D. I am still working on IE/Spyad, MVPS Hosts file and Google Toolbar. Once I have finished these, I will post another HJT log. Thanks for all your help!!!

Share this post


Link to post
Share on other sites

I have completed all of your instructions. Here are my outstanding issues:

 

1. No matter how many times I run Spybot S&D, I still end up with 2 entries of DSO Exploit that I select fix for, but apparently keeps coming back.

 

2. Everytime I open or close an IE window or a Windows Explorer window, I get SpywareGuard errors stating that "res://c:\WINNT\knlcu.dll/sp.htm/#12802" is trying to over wright my old values, I have to click "Restore old value" 5 or 6 times.

 

3. When I added the HOSTS file, in the documentation for Ad-aware, it states that running ad-aware will "create "Bad hosts file entry" in the log file generated at the end of a scan. The best thing to do is to place a check in each entry, right-click and select: "Add selection to ignorelist". Otherwise if you let AWW "fix" these items it will trash the HOSTS file!". I've ran ad-aware but I don't get the "bad hosts file entry" error, is this okay???

 

Here is my latest HJT log:

Logfile of HijackThis v1.97.7

Scan saved at 1:39:09 PM, on 7/30/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\ePOAgent\naimas32.exe

C:\Program Files\Symantec\Ghost\ngctw32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program Files\ORL\VNC\WinVNC.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe

C:\WINNT\netfu.exe

C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe

C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE

C:\ePOAgent\naimag32.exe

C:\MSSQL7\Binn\sqlmangr.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE

C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uhcl.edu/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by UHCL 03312003

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {3C152B1B-233A-35E8-801F-50DBEE75F199} - C:\WINNT\system32\javadx.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe

O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [sMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE

O4 - HKLM\..\Run: [NaimAgent_UI] C:\ePOAgent\naimag32.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - Startup: Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE

O4 - Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Startup: Windows Explorer.lnk = C:\WINNT\explorer.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Service Manager.LNK = C:\MSSQL7\Binn\sqlmangr.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8197.3618865741

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D321E8DB-3B9F-49A4-A9F3-B97297282003}: NameServer = 129.7.169.31 129.7.169.32

Share this post


Link to post
Share on other sites

PLEASE HELP!!! :techsupport:

Still having problems as described in previous post. Plus I noticed Notepad won't stay open and noticed "Search Assistent" and "Shopping Wizzard" in Add/Remove Programs. I haven't touched these since I've read in other posts that it does no good.

 

I decided to reboot in safemode and run AboutBuster again, then boot in normal mode and run AB and HJT to get new logs.

 

UPDATED LOGS:

 

Rebooted Safemode

AB Log:

-- Scan 1 --------

About:Buster Version 2.0

Deleted Service Key Successfully!

Removed! : C:\WINNT\d3jr32.exe

Removed! : C:\WINNT\knlcu.dll

Removed! : C:\WINNT\oemgvs.dat

Removed! : C:\WINNT\vgguud.dat

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

-- Scan 2 --------

About:Buster Version 2.0

Attempted Clean Of Temp folder.

Pages Reset... Done!

 

Rebooted Normal

 

AB Log:

-- Scan 1 --------

About:Buster Version 2.0

Deleted Service Key Successfully!

Removed! : C:\WINNT\atlga32.exe

Removed! : C:\WINNT\jvyak.dat

Removed! : C:\WINNT\knlcu.dat

Removed! : C:\WINNT\knlcu.dll

Removed! : C:\WINNT\system32\ipgr32.exe

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

-- Scan 2 --------

About:Buster Version 2.0

Removed! : C:\WINNT\jvyak.dat

Removed! : C:\WINNT\knlcu.dat

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

-- Scan 3 --------

About:Buster Version 2.0

Removed! : C:\WINNT\jvyak.dat

Removed! : C:\WINNT\knlcu.dat

Removed! : C:\WINNT\knlcu.dll

Removed! : C:\WINNT\oemgvs.dat

Removed! : C:\WINNT\system32\atlir32.exe

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

-- Scan 4 --------

About:Buster Version 2.0

Removed! : C:\WINNT\jvyak.dat

Removed! : C:\WINNT\knlcu.dat

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

-- Scan 5 --------

About:Buster Version 2.0

Removed! : C:\WINNT\ipds32.exe

Removed! : C:\WINNT\jvyak.dat

Removed! : C:\WINNT\knlcu.dat

Removed! : C:\WINNT\knlcu.dll

Removed! : C:\WINNT\oemgvs.dat

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

HJT Log:

Logfile of HijackThis v1.97.7

Scan saved at 2:52:03 PM, on 8/1/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\ePOAgent\naimas32.exe

C:\Program Files\Symantec\Ghost\ngctw32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program Files\ORL\VNC\WinVNC.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe

C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe

C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE

C:\ePOAgent\naimag32.exe

C:\MSSQL7\Binn\sqlmangr.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe

C:\WINNT\netfu.exe

C:\WINNT\crya32.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uhcl.edu/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by UHCL 03312003

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {3C152B1B-233A-35E8-801F-50DBEE75F199} - C:\WINNT\system32\javadx.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe

O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [sMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE

O4 - HKLM\..\Run: [NaimAgent_UI] C:\ePOAgent\naimag32.exe

O4 - HKLM\..\Run: [crya32.exe] C:\WINNT\crya32.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Service Manager.LNK = C:\MSSQL7\Binn\sqlmangr.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8197.3618865741

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D321E8DB-3B9F-49A4-A9F3-B97297282003}: NameServer = 129.7.169.31 129.7.169.32

Share this post


Link to post
Share on other sites

Can you post another HijackThis log so that we can verify that there are no other problems lurking in the shadows.

Share this post


Link to post
Share on other sites

I guess I spoke too soon. :weep:

 

After I ran AB and thought the problem was fixed, I spent 2 hours surfing the web before making the previous post. I thought that if anything would go wrong it would have done so by then; however, this morning the problem reappeared. I ran AB again so it went away but it probably won't stay gone :scratchhead: . I've included the AB log and the HJT log. Any help you can give me would be greatly appreciated.

 

Outstanding Issues:

1. Spyguard keeps this infection from overtaking my homepage, but I have click restore old several times.

 

2. Notepad won't stay open.

 

3. Home Search Assistent and Shopping Wizzard still appear in my Add/Remove Programs.

 

Here is the AB Log:

-- Scan 1 --------

About:Buster Version 2.0

Removed! : C:\WINNT\apirv32.exe

Removed! : C:\WINNT\jvyak.dat

Removed! : C:\WINNT\knlcu.dat

Removed! : C:\WINNT\knlcu.dll

Removed! : C:\WINNT\oemgvs.dat

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

-- Scan 2 --------

About:Buster Version 2.0

Removed! : C:\WINNT\knlcu.dll

Removed! : C:\WINNT\system32\apitz.exe

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

-- Scan 3 --------

About:Buster Version 2.0

Removed! : C:\WINNT\knlcu.dll

Removed! : C:\WINNT\system32\msth32.exe

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

-- Scan 4 --------

About:Buster Version 2.0

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

Here is the HJT log:

Logfile of HijackThis v1.98.1

Scan saved at 10:25:11 AM, on 8/2/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\ePOAgent\naimas32.exe

C:\Program Files\Symantec\Ghost\ngctw32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program Files\ORL\VNC\WinVNC.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe

C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe

C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE

C:\ePOAgent\naimag32.exe

C:\MSSQL7\Binn\sqlmangr.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe

C:\WINNT\netfu.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINNT\system32\notepad.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uhcl.edu/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by UHCL 03312003

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {3C152B1B-233A-35E8-801F-50DBEE75F199} - C:\WINNT\system32\javadx.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe

O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [sMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE

O4 - HKLM\..\Run: [NaimAgent_UI] C:\ePOAgent\naimag32.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Service Manager.LNK = C:\MSSQL7\Binn\sqlmangr.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{D321E8DB-3B9F-49A4-A9F3-B97297282003}: NameServer = 129.7.169.31 129.7.169.32

Share this post


Link to post
Share on other sites

The only entry I see left as being questionable is:

O2 - BHO: (no name) - {3C152B1B-233A-35E8-801F-50DBEE75F199} - C:\WINNT\system32\javadx.dll

You can delete the entry using HijackThis and then delete the corresponding file.

 

Do you have a firewall installed? If not, it is almost a 100% guarantee that you will keep on getting infected. Check Zonelararm for a free fireall.

Share this post


Link to post
Share on other sites

I added the firewall as you suggested. javadx appears to be the culprit. Removing it fixed my browser problem to where I don't get the Spyguard errors about changing my browser everytime I open or close Windows Explorer or Inernet Explorer. The problem is that it keeps coming back and it has come back with a vengence!!! Now I'm getting a Spyguard error of "BHO Browser Help Object has been added! The following BHO has been added to your system: {1F309ED6-83E8-0595-519D-C0E43FF318D0} File Location: C:/WINNT\system32\atldn32.dll" every few minutes!!! I have to keep selecting "Remove the BHO" button. HELP!!!

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.98.1

Scan saved at 9:37:54 PM, on 8/3/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\ePOAgent\naimas32.exe

C:\Program Files\Symantec\Ghost\ngctw32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program Files\ORL\VNC\WinVNC.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe

C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe

C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE

C:\ePOAgent\naimag32.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe

C:\MSSQL7\Binn\sqlmangr.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE

C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE

C:\WINNT\netfu.exe

C:\WINNT\explorer.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uhcl.edu/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by UHCL 03312003

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe

O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [sMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE

O4 - HKLM\..\Run: [NaimAgent_UI] C:\ePOAgent\naimag32.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT

O4 - Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Service Manager.LNK = C:\MSSQL7\Binn\sqlmangr.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{D321E8DB-3B9F-49A4-A9F3-B97297282003}: NameServer = 129.7.169.31 129.7.169.32

Share this post


Link to post
Share on other sites

I actually do not see any further signs of infection in your log.

 

Complete the recommendations as listed below and let me know if that clears it up:

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

  1. Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  2. Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  3. IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  4. MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  5. Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  6. Run Ad-Aware with the latest update.
    • Download the latest version of Ad-Aware from here.
    • After installing Ad-aware, and before running the program, Please be sure to update the reference file as per these instructions.
    • Reconfigure Ad-Aware for Full Scan as per the following instructions:
      • Launch the program, and click on the Gear at the top of the start screen.
      • Click the "Scanning" button (On the left side).
      • Under Drives & Folders, select "Scan within Archives" (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
      • Click "Click here to select Drives + folders" and select your installed hard drives.
      • Under Memory & Registry, select all options.
      • Click the "Advanced" button (On the left hand side).
      • Under "Log-file detail", select all options.
      • Click the "Tweak" button (Again, on the left hand side).
      • Expand "Scanning Engine" by clicking on the "+" (Plus) symbol) and select the following:
        • "Include additional Ad-aware settings in logfile"
        • "Unload recognized processes during scanning."

[*]Under "Cleaning Engine", select the following:

  • "Automatically try to unregister objects prior to deletion."
  • "Let Windows remove files in use after reboot."

[*]Click on "Proceed" to save these Preferences.

[*]Click on the "Scan Now" button on the left.

[*]Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".

[*]Select "Activate in-Depth scan".

[*]Close all programs except ad-aware.

[*]Click on "Next" in the bottom right corner to start the scan.

[*]Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.

[*]After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

[*]Download the latest version of Spybot from either:

  • Install spybot and by default is should install into C:\Program Files\Spybot - Search & Destroy.
  • Run Spybot by clicking on "Start" => "Programs" => "Spybot - Search & Destroy" => "Spybot - Search & Destroy".
  • The first time you run it, allow it to create a backup of your registry when prompted. This will take a few minutes to complete.
  • Click on "Search for Updates".
  • If any updates are found, place a check mark next to each and click on "Download Updates".
  • Click on "Immunize" and once it detect what has or has not been blocked, block all remaining items by clicking on the green plus sign next to immunize at the top.
  • Click on "Search & Destroy" => "Check for Problems".
  • If any problems are found, be sure to click on "Fix Selected Problems".

Share this post


Link to post
Share on other sites

So far... so good.

 

I re-booted in safe mode. I deleted all the stuff in all temporary folders and the recycle bin. Then I followed the instructions at http://forums.techguy.org/t246140.html exactly for my operating system. I've been online for about an hour and there have been no signs of the infection. A notepad window has been open for almost an hour and it hasn't closed on me. Home Search Assistent and Shopping Wizzard are no longer in Add/Remove Programs. I'm no longer getting SpyGuard errors.

 

Thanks for all the help!!! :D

Share this post


Link to post
Share on other sites

It has been a pleasure to help you :)

 

The problems here look to be resolved so I will close the thread. If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

 

If you would like to make a contribution to help support SpywareInfo, please check this link for more information.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0