• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Pickett

Browser hijack and popups

6 posts in this topic

Hi,

I think my browser has been hacked as the homepage has changed to something and I keep getting popups etc.

 

Here is a full scan from Ad-Aware using the best custom settings, and a HijackThis log.

 

Thanks for your help

 

 

AdAware log:

Lavasoft Ad-aware Personal Build 6.181

Logfile created on  :30 July 2004 09:47:07

Created with Ad-aware Personal, free for private use.

Using reference-file :01R324 22.06.2004

______________________________________________________

 

Reffile status:

=========================

Reference file loaded:

Reference Number : 01R324 22.06.2004

Internal build : 256

File location : C:\PROGRA~1\Lavasoft\AD-AWA~1\reflist.ref

Total size : 1265402 Bytes

Signature data size : 1244925 Bytes

Reference data size : 20413 Bytes

Signatures total : 27677

Target categories : 10

Target families : 506

 

Memory + processor status:

==========================

Number of processors : 1

Processor architecture : Intel Pentium III

Memory available:54 %

Total physical memory:523760 kb

Available physical memory:279460 kb

Total page file size:1280844 kb

Available on page file:1044964 kb

Total virtual memory:2097024 kb

Available virtual memory:2051276 kb

OS:

 

Ad-aware Settings

=========================

Set : Activate in-depth scan (Recommended)

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan within archives

Set : Scan my Hosts file

 

Extended Ad-aware Settings

=========================

Set : Unload recognized processes during scanning

Set : Include basic Ad-aware settings in logfile

Set : Include additional Ad-aware settings in logfile

Set : Let windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Always back up reference file, before updating

Set : Play sound if scan produced a result

 

 

30-07-2004 09:47:07 - Scan started. (Custom mode)

 

Listing running processes

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

#:1 [smss.exe]

    FilePath          : \SystemRoot\System32\

    ThreadCreationTime : 30-07-2004 08:01:55

    BasePriority      : Normal

 

 

#:2 [winlogon.exe]

    FilePath          : \??\C:\WINDOWS\system32\

    ThreadCreationTime : 30-07-2004 08:01:58

    BasePriority      : High

 

 

#:3 [services.exe]

    FilePath          : C:\WINDOWS\system32\

    ThreadCreationTime : 30-07-2004 08:01:59

    BasePriority      : Normal

    FileSize          : 99 KB

    FileVersion        : 5.1.2600.0 (xpclient.010817-1148)

    ProductVersion    : 5.1.2600.0

    CompanyName        : Microsoft Corporation

    FileDescription    : Services and Controller app

    InternalName      : services.exe

    OriginalFilename  : services.exe

    ProductName        : Microsoft

    Created on        : 29/08/2002 12:00:00

    Last accessed      : 30/07/2004 08:01:59

    Last modified      : 29/08/2002 12:00:00

 

#:4 [lsass.exe]

    FilePath          : C:\WINDOWS\system32\

    ThreadCreationTime : 30-07-2004 08:01:59

    BasePriority      : Normal

    FileSize          : 11 KB

    FileVersion        : 5.1.2600.1106 (xpsp1.020828-1920)

    ProductVersion    : 5.1.2600.1106

    CompanyName        : Microsoft Corporation

    FileDescription    : LSA Shell (Export Version)

    InternalName      : lsass.exe

    OriginalFilename  : lsass.exe

    ProductName        : Microsoft

    Created on        : 29/08/2002 12:00:00

    Last accessed      : 30/07/2004 08:01:55

    Last modified      : 29/08/2002 12:00:00

 

#:5 [svchost.exe]

    FilePath          : C:\WINDOWS\system32\

    ThreadCreationTime : 30-07-2004 08:01:59

    BasePriority      : Normal

    FileSize          : 12 KB

    FileVersion        : 5.1.2600.0 (xpclient.010817-1148)

    ProductVersion    : 5.1.2600.0

    CompanyName        : Microsoft Corporation

    FileDescription    : Generic Host Process for Win32 Services

    InternalName      : svchost.exe

    OriginalFilename  : svchost.exe

    ProductName        : Microsoft

    Created on        : 29/08/2002 12:00:00

    Last accessed      : 30/07/2004 08:02:31

    Last modified      : 29/08/2002 12:00:00

 

#:6 [svchost.exe]

    FilePath          : C:\WINDOWS\System32\

    ThreadCreationTime : 30-07-2004 08:01:59

    BasePriority      : Normal

    FileSize          : 12 KB

    FileVersion        : 5.1.2600.0 (xpclient.010817-1148)

    ProductVersion    : 5.1.2600.0

    CompanyName        : Microsoft Corporation

    FileDescription    : Generic Host Process for Win32 Services

    InternalName      : svchost.exe

    OriginalFilename  : svchost.exe

    ProductName        : Microsoft

    Created on        : 29/08/2002 12:00:00

    Last accessed      : 30/07/2004 08:02:31

    Last modified      : 29/08/2002 12:00:00

 

#:7 [spoolsv.exe]

    FilePath          : C:\WINDOWS\system32\

    ThreadCreationTime : 30-07-2004 08:02:01

    BasePriority      : Normal

    FileSize          : 50 KB

    FileVersion        : 5.1.2600.0 (XPClient.010817-1148)

    ProductVersion    : 5.1.2600.0

    CompanyName        : Microsoft Corporation

    FileDescription    : Spooler SubSystem App

    InternalName      : spoolsv.exe

    OriginalFilename  : spoolsv.exe

    ProductName        : Microsoft

    Created on        : 29/08/2002 12:00:00

    Last accessed      : 30/07/2004 08:01:55

    Last modified      : 29/08/2002 12:00:00

 

#:8 [kodakccs.exe]

    FilePath          : C:\WINDOWS\system32\drivers\

    ThreadCreationTime : 30-07-2004 08:02:02

    BasePriority      : Normal

    FileSize          : 276 KB

    FileVersion        : 1.1.4700.0

    ProductVersion    : 4.3.0.0

    Copyright          : Copyright © Eastman Kodak Co. 2000-2003

    CompanyName        : Eastman Kodak Company

    FileDescription    : Kodak DC Ring 3 Conduit (Win32)

    InternalName      : DcFsSvc.exe

    OriginalFilename  : DcFsSvc.exe

    ProductName        : Kodak DC File System Driver (Win32)

    Created on        : 31/03/2003 14:34:14

    Last accessed      : 30/07/2004 08:01:55

    Last modified      : 31/03/2003 14:34:14

 

#:9 [mdm.exe]

    FilePath          : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\

    ThreadCreationTime : 30-07-2004 08:02:02

    BasePriority      : Normal

    FileSize          : 328 KB

    FileVersion        : 7.10.3077

    ProductVersion    : 7.10.3077

    Copyright          : Copyright

    CompanyName        : Microsoft Corporation

    FileDescription    : Machine Debug Manager

    InternalName      : mdm.exe

    OriginalFilename  : mdm.exe

    ProductName        : Microsoft

    Created on        : 19/03/2003 00:55:56

    Last accessed      : 30/07/2004 08:01:55

    Last modified      : 19/03/2003 00:55:56

 

#:10 [nvsvc32.exe]

    FilePath          : C:\WINDOWS\System32\

    ThreadCreationTime : 30-07-2004 08:02:02

    BasePriority      : Normal

    FileSize          : 80 KB

    FileVersion        : 6.14.10.5216

    ProductVersion    : 6.14.10.5216

    Copyright          : © NVIDIA Corporation. All rights reserved.

    CompanyName        : NVIDIA Corporation

    FileDescription    : NVIDIA Driver Helper Service, Version 52.16

    InternalName      : NVSVC

    OriginalFilename  : nvsvc32.exe

    ProductName        : NVIDIA Driver Helper Service, Version 52.16

    Created on        : 06/10/2003 14:16:00

    Last accessed      : 30/07/2004 08:01:55

    Last modified      : 06/10/2003 14:16:00

 

#:11 [scagent.exe]

    FilePath          : C:\WINDOWS\system32\

    ThreadCreationTime : 30-07-2004 08:02:02

    BasePriority      : Normal

    FileSize          : 25 KB

    Created on        : 19/06/2004 07:17:51

    Last accessed      : 30/07/2004 08:01:55

    Last modified      : 16/07/2004 15:42:03

 

#:12 [scsiaccess.exe]

    FilePath          : C:\WINDOWS\System32\

    ThreadCreationTime : 30-07-2004 08:02:02

    BasePriority      : Normal

    FileSize          : 177 KB

    Created on        : 04/02/2003 07:22:30

    Last accessed      : 30/07/2004 08:01:55

    Last modified      : 04/02/2003 07:22:30

 

#:13 [svchost.exe]

    FilePath          : C:\WINDOWS\System32\

    ThreadCreationTime : 30-07-2004 08:02:02

    BasePriority      : Normal

    FileSize          : 12 KB

    FileVersion        : 5.1.2600.0 (xpclient.010817-1148)

    ProductVersion    : 5.1.2600.0

    CompanyName        : Microsoft Corporation

    FileDescription    : Generic Host Process for Win32 Services

    InternalName      : svchost.exe

    OriginalFilename  : svchost.exe

    ProductName        : Microsoft

    Created on        : 29/08/2002 12:00:00

    Last accessed      : 30/07/2004 08:02:31

    Last modified      : 29/08/2002 12:00:00

 

#:14 [vsmon.exe]

    FilePath          : C:\WINDOWS\system32\ZoneLabs\

    ThreadCreationTime : 30-07-2004 08:02:02

    BasePriority      : Normal

    FileSize          : 901 KB

    FileVersion        : 3.7.202

    ProductVersion    : 3.7.202

    Copyright          : Copyright 

    CompanyName        : Zone Labs Inc.

    FileDescription    : TrueVector Service

    InternalName      : vsmon

    OriginalFilename  : vsmon.exe

    ProductName        : TrueVector Service

    Created on        : 21/08/2003 10:52:37

    Last accessed      : 30/07/2004 08:01:55

    Last modified      : 14/07/2003 12:04:38

 

#:15 [mspmspsv.exe]

    FilePath          : C:\WINDOWS\System32\

    ThreadCreationTime : 30-07-2004 08:02:03

    BasePriority      : Normal

    FileSize          : 52 KB

    FileVersion        : 7.01.00.3055

    ProductVersion    : 7.01.00.3055

    Copyright          : Copyright © Microsoft Corp. 1981-2000

    CompanyName        : Microsoft Corporation

    FileDescription    : WMDM PMSP Service

    InternalName      : MSPMSPSV.EXE

    OriginalFilename  : MSPMSPSV.EXE

    ProductName        : Microsoft ® DRM

    Created on        : 01/05/2001 17:06:22

    Last accessed      : 30/07/2004 08:01:55

    Last modified      : 01/05/2001 17:06:22

 

#:16 [appff.exe]

    FilePath          : C:\WINDOWS\system32\

    ThreadCreationTime : 30-07-2004 08:02:03

    BasePriority      : Normal

    FileSize          : 9 KB

    Created on        : 22/07/2004 08:43:38

    Last accessed      : 30/07/2004 08:02:03

    Last modified      : 22/07/2004 08:43:38

 

#:17 [explorer.exe]

    FilePath          : C:\WINDOWS\

    ThreadCreationTime : 30-07-2004 08:02:06

    BasePriority      : Normal

    FileSize          : 980 KB

    FileVersion        : 6.00.2800.1106 (xpsp1.020828-1920)

    ProductVersion    : 6.00.2800.1106

    CompanyName        : Microsoft Corporation

    FileDescription    : Windows Explorer

    InternalName      : explorer

    OriginalFilename  : EXPLORER.EXE

    ProductName        : Microsoft

    Created on        : 29/08/2002 12:00:00

    Last accessed      : 30/07/2004 08:35:48

    Last modified      : 29/08/2002 12:00:00

 

#:18 [rundll32.exe]

    FilePath          : C:\WINDOWS\System32\

    ThreadCreationTime : 30-07-2004 08:02:23

    BasePriority      : Normal

    FileSize          : 31 KB

    FileVersion        : 5.1.2600.0 (xpclient.010817-1148)

    ProductVersion    : 5.1.2600.0

    CompanyName        : Microsoft Corporation

    FileDescription    : Run a DLL as an App

    InternalName      : rundll

    OriginalFilename  : RUNDLL.EXE

    ProductName        : Microsoft

    Created on        : 29/08/2002 12:00:00

    Last accessed      : 30/07/2004 08:04:05

    Last modified      : 29/08/2002 12:00:00

 

#:19 [instan~1.exe]

    FilePath          : C:\PROGRA~1\TEXTBR~1.0\Bin\

    ThreadCreationTime : 30-07-2004 08:02:23

    BasePriority      : Normal

    FileSize          : 36 KB

 

#:20 [realsched.exe]

    FilePath          : C:\Program Files\Common Files\Real\Update_OB\

    ThreadCreationTime : 30-07-2004 08:02:24

    BasePriority      : Normal

    FileSize          : 148 KB

    FileVersion        : 0.1.0.1622

    ProductVersion    : 0.1.0.1622

    Copyright          : Copyright 

    CompanyName        : RealNetworks, Inc.

    FileDescription    : RealNetworks Scheduler

    InternalName      : schedapp

    OriginalFilename  : realsched.exe

    ProductName        : RealOne Player (32-bit)

    Created on        : 29/01/2004 19:09:03

    Last accessed      : 30/07/2004 08:02:24

    Last modified      : 29/01/2004 19:09:03

 

#:21 [msgplus.exe]

    FilePath          : C:\Program Files\Messenger Plus! 3\

    ThreadCreationTime : 30-07-2004 08:02:24

    BasePriority      : Normal

    FileSize          : 160 KB

    FileVersion        : 3, 0, 0, 94

    ProductVersion    : 3, 0, 0, 94

    Copyright          : Copyright © 2001-2004

    CompanyName        : Patchou

    FileDescription    : Messenger Plus!

    InternalName      : MsgPlus

    OriginalFilename  : MsgPlus.exe

    ProductName        : Messenger Plus! 3

    Created on        : 16/05/2004 09:00:40

    Last accessed      : 30/07/2004 08:02:25

    Last modified      : 23/06/2004 17:30:54

 

#:22 [point32.exe]

    FilePath          : C:\Program Files\Microsoft IntelliPoint\

    ThreadCreationTime : 30-07-2004 08:02:24

    BasePriority      : Normal

    FileSize          : 160 KB

    FileVersion        : 5.00.174.0

    ProductVersion    : 5.0

    CompanyName        : Microsoft Corporation

    FileDescription    : Point32.exe

    InternalName      : Point32.exe

    OriginalFilename  : Point32.exe

    ProductName        : Microsoft IntelliPoint

    Created on        : 15/05/2003 23:41:15

    Last accessed      : 30/07/2004 08:01:55

    Last modified      : 15/05/2003 23:41:15

 

#:23 [ntbn.exe]

    FilePath          : C:\WINDOWS\

    ThreadCreationTime : 30-07-2004 08:02:25

    BasePriority      : Normal

    FileSize          : 26 KB

    Created on        : 29/07/2004 22:25:38

    Last accessed      : 30/07/2004 08:01:55

    Last modified      : 29/07/2004 22:25:38

 

#:24 [quickdcf.exe]

    FilePath          : C:\Program Files\FinePixViewer\

    ThreadCreationTime : 30-07-2004 08:02:25

    BasePriority      : Normal

    FileSize          : 196 KB

    FileVersion        : 3, 0, 0, 0

    ProductVersion    : 3, 0, 0, 0

    Copyright          : Copyright 2000-2002 FUJI PHOTO FILM CO.,LTD.

    CompanyName        : FUJI PHOTO FILM CO., LTD.

    FileDescription    : Exif Launcher

    InternalName      : QuickDCF

    OriginalFilename  : QuickDCF.exe

    ProductName        : FinePixViewer

    Created on        : 09/01/2002 20:53:14

    Last accessed      : 30/07/2004 08:01:55

    Last modified      : 09/01/2002 20:53:14

 

#:25 [easyshare.exe]

    FilePath          : C:\Program Files\Kodak\Kodak EasyShare software\bin\

    ThreadCreationTime : 30-07-2004 08:02:26

    BasePriority      : Normal

    FileSize          : 584 KB

    FileVersion        : 2, 0, 2, 225

    ProductVersion    : 3, 0, 0, 221

    Copyright          : Copyright 

    CompanyName        : Eastman Kodak Company

    FileDescription    : Kodak EasyShare software

    InternalName      : EasyShare

    OriginalFilename  : EasyShare.exe

    ProductName        : Kodak EasyShare software

    Created on        : 09/04/2003 05:56:24

    Last accessed      : 30/07/2004 08:01:55

    Last modified      : 09/04/2003 05:56:24

 

#:26 [backweb-7288971.exe]

    FilePath          : C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\

    ThreadCreationTime : 30-07-2004 08:02:26

    BasePriority      : Normal

    FileSize          : 16 KB

    Created on        : 13/03/2002 04:08:34

    Last accessed      : 30/07/2004 08:02:26

    Last modified      : 13/03/2002 04:08:34

 

#:27 [wkcalrem.exe]

    FilePath          : C:\Program Files\Common Files\Microsoft Shared\Works Shared\

    ThreadCreationTime : 30-07-2004 08:02:26

    BasePriority      : Normal

    FileSize          : 52 KB

    FileVersion        : 5.00.1928.1

    ProductVersion    : 5.00.1928.1

    CompanyName        : Microsoft

    FileDescription    : Microsoft

    InternalName      : WkCalRem

    OriginalFilename  : WKCALREM.EXE

    ProductName        : Microsoft

    Created on        : 05/09/1999 05:23:00

    Last accessed      : 30/07/2004 08:02:26

    Last modified      : 05/09/1999 05:23:00

 

#:28 [zonealarm.exe]

    FilePath          : C:\Program Files\Zone Labs\ZoneAlarm\

    ThreadCreationTime : 30-07-2004 08:02:26

    BasePriority      : Normal

    FileSize          : 609 KB

    FileVersion        : 3.7.202

    ProductVersion    : 3.7.202

    Copyright          : Copyright 

    CompanyName        : Zone Labs Inc.

    FileDescription    : ZoneAlarm

    InternalName      : zonealarm

    OriginalFilename  : zonealarm.exe

    ProductName        : ZoneAlarm

    Created on        : 25/05/2003 11:30:57

    Last accessed      : 30/07/2004 08:02:26

    Last modified      : 14/07/2003 12:05:40

 

#:29 [msnmsgr.exe]

    FilePath          : C:\Program Files\MSN Messenger\

    ThreadCreationTime : 30-07-2004 08:02:33

    BasePriority      : Normal

    FileSize          : 4768 KB

    FileVersion        : 6.2.0137

    ProductVersion    : Version 6.2

    Copyright          : Copyright © Microsoft Corporation 1997-2004

    CompanyName        : Microsoft Corporation

    FileDescription    : MSN Messenger

    InternalName      : msnmsgr

    OriginalFilename  : msnmsgr.exe

    ProductName        : MSN Messenger

    Created on        : 28/05/2004 14:22:04

    Last accessed      : 30/07/2004 08:43:27

    Last modified      : 28/05/2004 14:22:04

 

#:30 [wuauclt.exe]

    FilePath          : C:\WINDOWS\System32\

    ThreadCreationTime : 30-07-2004 08:03:12

    BasePriority      : Normal

    FileSize          : 145 KB

    FileVersion        : 5.4.3790.20 built by: lab04_n

    ProductVersion    : 5.4.3790.20

    CompanyName        : Microsoft Corporation

    FileDescription    : Windows Update AutoUpdate Client

    InternalName      : wuauclt.exe

    OriginalFilename  : wuauclt.exe

    ProductName        : Microsoft

    Created on        : 24/02/2003 11:59:42

    Last accessed      : 30/07/2004 08:01:57

    Last modified      : 31/01/2004 00:40:14

 

#:31 [ad-aware.exe]

    FilePath          : C:\PROGRA~1\Lavasoft\AD-AWA~1\

    ThreadCreationTime : 30-07-2004 08:43:40

    BasePriority      : Normal

    FileSize          : 668 KB

    FileVersion        : 6.0.1.181

    ProductVersion    : 6.0.0.0

    Copyright          : Copyright 

    CompanyName        : Lavasoft Sweden

    FileDescription    : Ad-aware 6 core application

    InternalName      : Ad-aware.exe

    OriginalFilename  : Ad-aware.exe

    ProductName        : Lavasoft Ad-aware Plus

    Created on        : 29/04/2004 22:27:44

    Last accessed      : 30/07/2004 08:22:44

    Last modified      : 12/07/2003 20:00:20

 

#:32 [iexplore.exe]

    FilePath          : C:\Program Files\Internet Explorer\

    ThreadCreationTime : 30-07-2004 08:43:43

    BasePriority      : Normal

    FileSize          : 89 KB

    FileVersion        : 6.00.2800.1106 (xpsp1.020828-1920)

    ProductVersion    : 6.00.2800.1106

    CompanyName        : Microsoft Corporation

    FileDescription    : Internet Explorer

    InternalName      : iexplore

    OriginalFilename  : IEXPLORE.EXE

    ProductName        : Microsoft

    Created on        : 24/02/2003 12:01:19

    Last accessed      : 30/07/2004 08:43:43

    Last modified      : 29/08/2002 12:00:00

 

Memory scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 0

 

 

Started registry scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Registry scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 0

 

 

Started deep registry scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Page.dll/index.html

 

Possible Browser Hijack attempt Object recognized!

    Type              : RegData

    Data              : "res://wwnsv.dll/index.html#28129"

    Category          : Data Miner

    Comment            : Possible browser hijack attempt

    Rootkey            : HKEY_CURRENT_USER

    Object            : Software\Microsoft\Internet Explorer\Main

    Value              : Start Page

    Data              : "res://wwnsv.dll/index.html#28129"

 

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Page.dll/index.html

 

Possible Browser Hijack attempt Object recognized!

    Type              : RegData

    Data              : "res://wwnsv.dll/index.html#28129"

    Category          : Data Miner

    Comment            : Possible browser hijack attempt

    Rootkey            : HKEY_LOCAL_MACHINE

    Object            : Software\Microsoft\Internet Explorer\Main

    Value              : Start Page

    Data              : "res://wwnsv.dll/index.html#28129"

 

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainDefault_Page_URL.dll/index.html

 

Possible Browser Hijack attempt Object recognized!

    Type              : RegData

    Data              : "res://wwnsv.dll/index.html#28129"

    Category          : Data Miner

    Comment            : Possible browser hijack attempt

    Rootkey            : HKEY_LOCAL_MACHINE

    Object            : Software\Microsoft\Internet Explorer\Main

    Value              : Default_Page_URL

    Data              : "res://wwnsv.dll/index.html#28129"

 

 

Deep registry scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 3

Objects found so far: 3

 

 

Deep scanning and examining files (C:)

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Tracking Cookie Object recognized!

    Type              : File

    Data              : family@atdmt[1].txt

    Category          : Data Miner

    Comment            :

    Object            : C:\Documents and Settings\Family\Cookies\

 

    Created on        : 30/07/2004 07:02:20

    Last accessed      : 30/07/2004 08:36:28

    Last modified      : 30/07/2004 08:36:28

 

 

 

Disk scan result for C:\

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 4

 

 

Performing conditional scans..

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Conditional scan result:

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 4

 

 

10:00:26 Scan complete

 

Summary of this scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Total scanning time :00:13:18:468

Objects scanned :221987

Objects identified :4

Objects ignored :0

New objects :4

 

HijackThis log:

Logfile of HijackThis v1.97.7

Scan saved at 11:14:15, on 30/07/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\drivers\KodakCCS.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\scagent.exe

C:\WINDOWS\System32\ScsiAccess.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\appff.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\RunDll32.exe

C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Messenger Plus! 3\MsgPlus.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\WINDOWS\ntbn.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wwnsv.dll/sp.html#28129

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://wwnsv.dll/index.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://wwnsv.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wwnsv.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://wwnsv.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wwnsv.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {FD6F55F3-10E8-D4AB-3EDD-34285F1DFA2E} - C:\WINDOWS\apphp.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [ntbn.exe] C:\WINDOWS\ntbn.exe

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKLM\..\RunOnce: [appff.exe] C:\WINDOWS\system32\appff.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: TREND MICRO HouseCall (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O16 - DPF: ADVFN US - http://usa.advfn.com/advfn_us8.cab

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\a.exe

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {1F996EAE-3D97-4862-AA0E-27F257C089DE} (blueyonder Game Launcher Control) - http://www.bygames.com/activex/launcher.ocx

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {55B058C8-62DA-11D4-B4AD-B91DC3D8A423} (LightsOut Control) - http://www.simonbradley.net/LightsOut.ocx

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

O16 - DPF: {F8F88D0D-E455-11D6-B547-00400555C7FB} (DiskHealth2 Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

 

Thanks again

Share this post


Link to post
Share on other sites

Hello please download About:Buster and unzip it to your desktop. Don´t run it yet.

 

How to use Ad-Aware to remove Spyware <= Please check this link for instructions on how to download, install and then use adaware. Don´t use it yet.

1 You already have Adaware installed. Make sure it's up to date. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You should now see Reference File # : 01R333 18.07.2004 or higher listed.

 

2 Print out these instructions so you have them handy as most of the steps need to be done in safe mode and you may not be able to go online.

 

3. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. This service is installed by the malware. If this service is not listed go ahead with the next step.

 

4. Reboot to Safe Mode

How to start the computer in Safe mode

 

 

5. Make sure your PC is configured to show hidden files

 

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.

Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"

Click "Apply" then "OK"

 

6.CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wwnsv.dll/sp.html#28129

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://wwnsv.dll/index.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://wwnsv.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wwnsv.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://wwnsv.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wwnsv.dll/sp.html#28129

O2 - BHO: (no name) - {FD6F55F3-10E8-D4AB-3EDD-34285F1DFA2E} - C:\WINDOWS\apphp.dll

O4 - HKLM\..\Run: [ntbn.exe] C:\WINDOWS\ntbn.exe

O4 - HKLM\..\RunOnce: [appff.exe] C:\WINDOWS\system32\appff.exe

O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\a.exe

 

7. Delete the following files if present.

C:\WINDOWS\wwnsv.dll

C:\WINDOWS\apphp.dll

C:\WINDOWS\ntbn.exe

C:\WINDOWS\system32\appff.exe

C:\Program Files\Internet Explorer\a.exe

 

 

 

8. Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

 

9. Scan with Adaware and let it remove any bad files found.

 

10. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

 

 

Temporary Files

Temporary Internet Files

Recycle Bin

 

11. Reboot to normal mode, scan again with Hijack This and post a new log here.

 

12. Finally, do an online scan HERE. Let it remove any infected files found.

 

Replace Deleted Files

It is also possible that the infection may have deleted up to three files from your system. If these files are present, to be safe I suggest you overwrite them with a new copy.

 

Go here and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.

 

Download the Hoster from here Press 'Restore Original Hosts' and press 'OK'

Exit Program.

 

If you have Spybot S&D installed you may also need to replace one file.

Go here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

 

Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.

Go to Internet Options/Security/Internet, press 'default level', then OK.

Now press "Custom Level."

In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the

second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.

Share this post


Link to post
Share on other sites

Thanks for the reply.

 

I followed all your instructions however:

"Network Security Service" was not in Services.msc

 

I also couldn't find the following:

 

04 - HKLM\..\Run: [ntbn.exe] C:\WINDOWS\ntbn.exe

016 - DPF: {1000000-100-000-1000-000000000000} - file://C:\Program Files\Internet Explorer\a.exe

 

C:\WINDOWS\ntbn.exe

 

---------------------------------------

 

After following the instructions and rebooting etc, I scanned with HijackThis. Here is my new log.

 

Logfile of HijackThis v1.97.7

Scan saved at 20:25:31, on 01/08/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\drivers\KodakCCS.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\scagent.exe

C:\WINDOWS\System32\ScsiAccess.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\javayj.exe

C:\WINDOWS\System32\RunDll32.exe

C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Messenger Plus! 3\MsgPlus.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINDOWS\appxu32.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jbzdx.dll/sp.html#28129

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jbzdx.dll/index.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jbzdx.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jbzdx.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jbzdx.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jbzdx.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {49E3B74E-F05D-BC3E-9CB7-A196605EC6A6} - C:\WINDOWS\system32\crgb32.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [appxu32.exe] C:\WINDOWS\appxu32.exe

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKLM\..\RunOnce: [ielt32.exe] C:\WINDOWS\ielt32.exe

O4 - HKLM\..\RunOnce: [d3cm32.exe] C:\WINDOWS\d3cm32.exe

O4 - HKLM\..\RunOnce: [mfcbl.exe] C:\WINDOWS\mfcbl.exe

O4 - HKLM\..\RunOnce: [winzy.exe] C:\WINDOWS\winzy.exe

O4 - HKLM\..\RunOnce: [crmq.exe] C:\WINDOWS\crmq.exe

O4 - HKLM\..\RunOnce: [mfcgy32.exe] C:\WINDOWS\mfcgy32.exe

O4 - HKLM\..\RunOnce: [netfx.exe] C:\WINDOWS\netfx.exe

O4 - HKLM\..\RunOnce: [addqn.exe] C:\WINDOWS\addqn.exe

O4 - HKLM\..\RunOnce: [mspi.exe] C:\WINDOWS\system32\mspi.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: TREND MICRO HouseCall (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O16 - DPF: ADVFN US - http://usa.advfn.com/advfn_us8.cab

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {1F996EAE-3D97-4862-AA0E-27F257C089DE} (blueyonder Game Launcher Control) - http://www.bygames.com/activex/launcher.ocx

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab

O16 - DPF: {55B058C8-62DA-11D4-B4AD-B91DC3D8A423} (LightsOut Control) - http://www.simonbradley.net/LightsOut.ocx

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

O16 - DPF: {F8F88D0D-E455-11D6-B547-00400555C7FB} (DiskHealth2 Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

 

I still get the problems when I open IE.

 

If you want my about:buster logs then let me know.

 

Thanks for your help

Share this post


Link to post
Share on other sites

Your version of Hijack this is outdated. Please download version 1.98.0 from either of the following links:

LINK 1

or

LINK 2

And post a new log

And please don´t quote the logs

Edited by mmxx66

Share this post


Link to post
Share on other sites

OK, sorry about the quote thing.

Here is my latest log:

 

Logfile of HijackThis v1.98.1

Scan saved at 21:53:41, on 02/08/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\drivers\KodakCCS.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\scagent.exe

C:\WINDOWS\System32\ScsiAccess.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\javayj.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\RunDll32.exe

C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Messenger Plus! 3\MsgPlus.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\WINDOWS\system32\ntei32.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zrtlo.dll/sp.html#28129

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zrtlo.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zrtlo.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zrtlo.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zrtlo.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zrtlo.dll/index.html#28129

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {1E09A367-5B7D-66F4-0E18-4FBCCE2A8EB3} - C:\WINDOWS\crzf32.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [ntei32.exe] C:\WINDOWS\system32\ntei32.exe

O4 - HKLM\..\RunOnce: [ielt32.exe] C:\WINDOWS\ielt32.exe

O4 - HKLM\..\RunOnce: [d3cm32.exe] C:\WINDOWS\d3cm32.exe

O4 - HKLM\..\RunOnce: [mfcbl.exe] C:\WINDOWS\mfcbl.exe

O4 - HKLM\..\RunOnce: [winzy.exe] C:\WINDOWS\winzy.exe

O4 - HKLM\..\RunOnce: [crmq.exe] C:\WINDOWS\crmq.exe

O4 - HKLM\..\RunOnce: [mfcgy32.exe] C:\WINDOWS\mfcgy32.exe

O4 - HKLM\..\RunOnce: [netfx.exe] C:\WINDOWS\netfx.exe

O4 - HKLM\..\RunOnce: [addqn.exe] C:\WINDOWS\addqn.exe

O4 - HKLM\..\RunOnce: [mspi.exe] C:\WINDOWS\system32\mspi.exe

O4 - HKLM\..\RunOnce: [atlml32.exe] C:\WINDOWS\atlml32.exe

O4 - HKLM\..\RunOnce: [crqc.exe] C:\WINDOWS\system32\crqc.exe

O4 - HKLM\..\RunOnce: [apipr32.exe] C:\WINDOWS\system32\apipr32.exe

O4 - HKLM\..\RunOnce: [javavf32.exe] C:\WINDOWS\system32\javavf32.exe

O4 - HKLM\..\RunOnce: [atlje.exe] C:\WINDOWS\atlje.exe

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: ADVFN US - http://usa.advfn.com/advfn_us8.cab

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {1F996EAE-3D97-4862-AA0E-27F257C089DE} (blueyonder Game Launcher Control) - http://www.bygames.com/activex/launcher.ocx

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab

O16 - DPF: {55B058C8-62DA-11D4-B4AD-B91DC3D8A423} (LightsOut Control) - http://www.simonbradley.net/LightsOut.ocx

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

O16 - DPF: {F8F88D0D-E455-11D6-B547-00400555C7FB} (DiskHealth2 Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - (no file)

Share this post


Link to post
Share on other sites

Do not reboot

Right click on the task bar, go to Task Manager in the processes tab, stop these processes:

javayj.exe

ntei32.exe

 

CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zrtlo.dll/sp.html#28129

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zrtlo.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zrtlo.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zrtlo.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zrtlo.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zrtlo.dll/index.html#28129

O2 - BHO: (no name) - {1E09A367-5B7D-66F4-0E18-4FBCCE2A8EB3} - C:\WINDOWS\crzf32.dll

O4 - HKLM\..\Run: [ntei32.exe] C:\WINDOWS\system32\ntei32.exe

O4 - HKLM\..\RunOnce: [ielt32.exe] C:\WINDOWS\ielt32.exe

O4 - HKLM\..\RunOnce: [d3cm32.exe] C:\WINDOWS\d3cm32.exe

O4 - HKLM\..\RunOnce: [mfcbl.exe] C:\WINDOWS\mfcbl.exe

O4 - HKLM\..\RunOnce: [winzy.exe] C:\WINDOWS\winzy.exe

O4 - HKLM\..\RunOnce: [crmq.exe] C:\WINDOWS\crmq.exe

O4 - HKLM\..\RunOnce: [mfcgy32.exe] C:\WINDOWS\mfcgy32.exe

O4 - HKLM\..\RunOnce: [netfx.exe] C:\WINDOWS\netfx.exe

O4 - HKLM\..\RunOnce: [addqn.exe] C:\WINDOWS\addqn.exe

O4 - HKLM\..\RunOnce: [mspi.exe] C:\WINDOWS\system32\mspi.exe

O4 - HKLM\..\RunOnce: [atlml32.exe] C:\WINDOWS\atlml32.exe

O4 - HKLM\..\RunOnce: [crqc.exe] C:\WINDOWS\system32\crqc.exe

O4 - HKLM\..\RunOnce: [apipr32.exe] C:\WINDOWS\system32\apipr32.exe

O4 - HKLM\..\RunOnce: [javavf32.exe] C:\WINDOWS\system32\javavf32.exe

O4 - HKLM\..\RunOnce: [atlje.exe] C:\WINDOWS\atlje.exe

 

Delete these files:

C:\WINDOWS\system32\ zrtlo.dll

C:\WINDOWS\crzf32.dll

C:\WINDOWS\javayj.exe

C:\WINDOWS\system32\ntei32.exe

C:\WINDOWS\ielt32.exe

C:\WINDOWS\d3cm32.exe

C:\WINDOWS\mfcbl.exe

C:\WINDOWS\winzy.exe

C:\WINDOWS\crmq.exe

C:\WINDOWS\mfcgy32.exe

C:\WINDOWS\netfx.exe

C:\WINDOWS\addqn.exe

C:\WINDOWS\system32\mspi.exe

C:\WINDOWS\atlml32.exe

C:\WINDOWS\system32\crqc.exe

C:\WINDOWS\system32\apipr32.exe

C:\WINDOWS\system32\javavf32.exe

C:\WINDOWS\atlje.exe

 

Double click AboutBuster.exe, run the program twice, save both logs.

Scan with Adaware and let it remove any bad files found.

 

Post a new hijack this log and the About Buster logs

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0