Jump to content


Photo

I have been hijacked by adsrve


  • Please log in to reply
7 replies to this topic

#1 chris1977

chris1977

    Member

  • New Member
  • Pip
  • 4 posts

Posted 24 June 2004 - 08:58 AM

Hi, I have been reading through everyones problems and trying to pick things out that show on my HJT report but I dont seem to have some of the ones others have. I keep getting links under words on all websites and when I tried to download HJT from download.com it kept covering the download now button. Can anyone tell me what I need to remove from this please? I really need help as im no computer whizz by any means. Thanks in advance.

This is my log:

Logfile of HijackThis v1.97.7
Scan saved at 14:37:19, on 24/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Protector Plus\PPServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\Program Files\INTEL\DSLSetup\ProDsl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\PROGRA~1\PROTEC~1\PPTbc.EXE
C:\PROGRA~1\PROTEC~1\PPInupdt.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\WINDOWS\System32\WINFINGER.EXE
C:\Program Files\Cellink\cm20.exe
C:\Program Files\Cellink\ktrexe.exe
C:\Program Files\Common files\updmgr\updmgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\documents and settings\chris reeves\local settings\temp\UgVodwA8N.exe
C:\documents and settings\chris reeves\local settings\temp\RaxeinMF7.exe
C:\Program Files\ClearSearch\Loader.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\uptodate.exe
C:\WINDOWS\System32\tggmioqp.exe
C:\Program Files\Protector Plus\POPSCAN.EXE
C:\WINDOWS\System32\oakig.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\WINDOWS\System32\ochlace.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\System32\PdfcCj.exe
C:\WINDOWS\System32\Crx21Ym1.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SysAI\SysAI.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Chris Reeves\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1526/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1526/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1526/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1526/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1526/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1526/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1526/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1526/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1526/ (obfuscated)
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [DSL Connection Manager] C:\Program Files\INTEL\DSLSetup\ProDsl.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [PP2000 Taskbar Control] C:\PROGRA~1\PROTEC~1\PPTbc.EXE
O4 - HKLM\..\Run: [PP2000 InstaUpdate] C:\PROGRA~1\PROTEC~1\PPInupdt.exe
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [WinHubo Drivers] WINFINGER.EXE
O4 - HKLM\..\Run: [Windows Drivers] WINEXES.EXE
O4 - HKLM\..\Run: [Start RF Wireless Mouse] C:\Program Files\Cellink\cm20.exe
O4 - HKLM\..\Run: [Start RF Wireless Keyboard] C:\Program Files\Cellink\ktrexe.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\BrDefPrt.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UgVodwA8N] C:\documents and settings\chris reeves\local settings\temp\UgVodwA8N.exe
O4 - HKLM\..\Run: [RaxeinMF7] C:\documents and settings\chris reeves\local settings\temp\RaxeinMF7.exe
O4 - HKLM\..\Run: [2@C7B@94R9KBSW] C:\WINDOWS\System32\LjpjOq5.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [bcjwtjmwgov] C:\WINDOWS\System32\tggmioqp.exe
O4 - HKLM\..\Run: [xs4U3qR] oakig.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [gBv8Rkdsh] ochlace.exe
O4 - HKCU\..\RunOnce: [WinHubo Drivers] WINFINGER.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: ConferenceRoom Java Client - http://chat.privatef...000/java/cr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - ms-its:mhtml:file://C:\ss.MHT!http://toolbar.isear...les/initial.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.co...aploader_v5.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - http://activex.micro...eb/ikcntrls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ADED60C9-9F88-4485-BDBC-60AF3F29726E}: NameServer = 213.120.62.102 213.120.62.103

#2 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 26 June 2004 - 12:03 PM

You have several different infections including CoolWebSearch and Peper. This will take a while to fix but we should be able to clear everything out.

I'm going to give you a lot to do with fairly detailed instructions - read thru them and if there is something that you don't understand - or don't know how to do - post back and I'll explain further.

Start off by getting these three programs:

CWShredder from http://www.spywarein.../CWShredder.exe

PeperFix from http://www.subratam.org/?page=removal

Ad-aware from http://www.lavasoft.de/res/aaw6.exe

Install them into their own folders.

I also need to get you to install HijackThis into its own folder - somethimg like C:\HJT\ - you don't want to run it from a Temporary folder or the Desktop.

A synopsis of what we're going to do is:

Run Ad-aware - deep scan
Boot into Safe Mode
Run Peperfix
Run CWShredder
Run Ad-aware again
Run HijackThis scan
Fix remnants in HJT
Delete bad files and folders
Reboot into Normal Mode
Run HijackThis scan
Post new log

You might want to print out these detailed instructions because you don't want to have any programs running except the one you are using each step of the way.

Start Ad-aware, and first, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

Posted Image Click on the Gear icon (second from the left) to access the preferences/settings window
  • In the General window make sure the following are selected:
    • Automatically save log-file
    • Automatically quarantine objects prior to removal
    • Safe Mode (always request confirmation)
  • Click on the Scanning button on the left and select :
    • Scan Within Archives
    • Scan Active Processes
    • Scan Registry
    • Deep Scan Registry
    • Scan my IE favorites for banned URL’s
    • Scan my Hosts file
    • Under Click here to select drives + folders, choose:
    • All of your hard drives
Posted Image Click on the Advanced button on the left and select:
  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details
Posted Image Click the Tweak button and select:
  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile
  • Under the Cleaning Engine:
    • Let Windows remove files in use at next reboot
Posted Image Click on Proceed to save the settings.

Posted Image Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page, and then choose:
  • Use Custom Scanning Options
Posted Image Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Posted Image Save the log file when it asks and then click Finish

Posted Image When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Posted Image Now, close Ad-aware.

Reboot your computer into Safe Mode by tapping the F8 key during bootup. Safe Mode won't load a lot of drivers, including graphic board drivers, so it will look different than Normal Mode.

Run PeperFix.

Run CWShredder.

Run Ad-aware again. It should still be setup for the deep scan so you won't have to do all the settings again. Fix anything else it finds - probably not much, if anything.

Close it when done and start HijackThis. Run a scan and mark the following items for fixing. Some of these items may not be there at this point and that's good - just mark the ones that are.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1526/ (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1526/ (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1526/ (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1526/ (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1526/ (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1526/ (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1526/ (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1526/ (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1526/ (obfuscated)

O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll

O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL

O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL

O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b

O4 - HKLM\..\Run: [WinHubo Drivers] WINFINGER.EXE

O4 - HKLM\..\Run: [Windows Drivers] WINEXES.EXE

O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe

O4 - HKLM\..\Run: [UgVodwA8N] C:\documents and settings\chris reeves\local settings\temp\UgVodwA8N.exe

O4 - HKLM\..\Run: [RaxeinMF7] C:\documents and settings\chris reeves\local settings\temp\RaxeinMF7.exe

O4 - HKLM\..\Run: [2@C7B@94R9KBSW] C:\WINDOWS\System32\LjpjOq5.exe

O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe

O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain

O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe

O4 - HKLM\..\Run: [bcjwtjmwgov] C:\WINDOWS\System32\tggmioqp.exe

O4 - HKLM\..\Run: [xs4U3qR] oakig.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe

O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe

O4 - HKCU\..\Run: [gBv8Rkdsh] ochlace.exe

O4 - HKCU\..\RunOnce: [WinHubo Drivers] WINFINGER.EXE

O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - ms-its:mhtml:file://C:\ss.MHT!http://toolbar.isear...les/initial.cab


When you've got all those checked then click Fix Checked and HijackThis will fix them.

Posted Image Reboot again, also in Safe Mode, and look for these files and delete them.

C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\WINDOWS\System32\WINFINGER.EXE
C:\documents and settings\chris reeves\local settings\temp\UgVodwA8N.exe
C:\documents and settings\chris reeves\local settings\temp\RaxeinMF7.exe
C:\WINDOWS\uptodate.exe
C:\WINDOWS\System32\tggmioqp.exe
C:\WINDOWS\System32\oakig.exe
C:\WINDOWS\System32\ochlace.exe
C:\WINDOWS\System32\PdfcCj.exe
C:\WINDOWS\System32\Crx21Ym1.exe

Now look for these folders and delete them (which will also delete all their contents)

C:\Program Files\ClearSearch
C:\Program Files\Common Files\Dpi
C:\Program Files\SysAI

Finally (!), when you're done with those, reboot your computer normally, run another HijackThis scan and post the log here for further review.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#3 chris1977

chris1977

    Member

  • New Member
  • Pip
  • 4 posts

Posted 28 June 2004 - 07:10 AM

Fire Flyer,

If this has worked then I cant thank you enough. The pop ups and all that goes with it were about to receive the royal order of the hammer! Here is my new and hopefully improved log file:

Logfile of HijackThis v1.97.7
Scan saved at 13:03:01, on 28/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Protector Plus\PPServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\INTEL\DSLSetup\ProDsl.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\PROGRA~1\PROTEC~1\PPTbc.EXE
C:\PROGRA~1\PROTEC~1\PPInupdt.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\Cellink\cm20.exe
C:\Program Files\Cellink\ktrexe.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\System32\WINFINGER.EXE
C:\Program Files\Protector Plus\POPSCAN.EXE
C:\Documents and Settings\Chris Reeves\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [DSL Connection Manager] C:\Program Files\INTEL\DSLSetup\ProDsl.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [PP2000 Taskbar Control] C:\PROGRA~1\PROTEC~1\PPTbc.EXE
O4 - HKLM\..\Run: [PP2000 InstaUpdate] C:\PROGRA~1\PROTEC~1\PPInupdt.exe
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [Start RF Wireless Mouse] C:\Program Files\Cellink\cm20.exe
O4 - HKLM\..\Run: [Start RF Wireless Keyboard] C:\Program Files\Cellink\ktrexe.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\BrDefPrt.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [2@C7B@94R9KBSW] C:\WINDOWS\System32\Ctck1i76.exe
O4 - HKLM\..\Run: [AutoLoaderxFvo1WMeWRaL] "C:\WINDOWS\System32\oakig.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [xs4U3qR] icqtls.exe
O4 - HKLM\..\Run: [WinHubo Drivers] WINFINGER.EXE
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\RunOnce: [WinHubo Drivers] WINFINGER.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: ConferenceRoom Java Client - http://chat.privatef...000/java/cr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip....ro64_loader.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.co...aploader_v5.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - http://activex.micro...eb/ikcntrls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ADED60C9-9F88-4485-BDBC-60AF3F29726E}: NameServer = 213.120.62.100 213.120.62.101

Once again I would like to thank you for the help. Your a diamond!

Cheers

Chris

#4 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 28 June 2004 - 08:46 AM

Chris, unfortunately we're not out of the woods yet. CoolWebSearch is gone, but there are still some Peper remnants remaining.

You still have HijackThis on the Desktop - it's really best to run it from within its own permanent folder.

Peper has been getting obstinate lately and harder to eradicate, so let's hit it again.

Boot into Safe Mode again and run PeperFix again. Then, still in Safe Mode run another HijackThis scan and mark these for removal:


R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

O4 - HKLM\..\Run: [2@C7B@94R9KBSW] C:\WINDOWS\System32\Ctck1i76.exe

O4 - HKLM\..\Run: [xs4U3qR] icqtls.exe



Be sure all browser and Windows Explorer windows are closed and click Fix Checked.

Run another Ad-aware scan (make sure you have the reference file released 6/27/04) and fix what it finds.

Reboot normally and post a new HijackThis log. Let me know how it went and how your system is performing.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#5 chris1977

chris1977

    Member

  • New Member
  • Pip
  • 4 posts

Posted 28 June 2004 - 11:31 AM

Hi Mate,

I did as you said and this is my new log:

Logfile of HijackThis v1.97.7
Scan saved at 17:28:57, on 28/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Protector Plus\PPServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\INTEL\DSLSetup\ProDsl.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\PROGRA~1\PROTEC~1\PPTbc.EXE
C:\PROGRA~1\PROTEC~1\PPInupdt.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\Cellink\cm20.exe
C:\Program Files\Cellink\ktrexe.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\WINFINGER.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Protector Plus\POPSCAN.EXE
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [DSL Connection Manager] C:\Program Files\INTEL\DSLSetup\ProDsl.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [PP2000 Taskbar Control] C:\PROGRA~1\PROTEC~1\PPTbc.EXE
O4 - HKLM\..\Run: [PP2000 InstaUpdate] C:\PROGRA~1\PROTEC~1\PPInupdt.exe
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [Start RF Wireless Mouse] C:\Program Files\Cellink\cm20.exe
O4 - HKLM\..\Run: [Start RF Wireless Keyboard] C:\Program Files\Cellink\ktrexe.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\BrDefPrt.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AutoLoaderxFvo1WMeWRaL] "C:\WINDOWS\System32\oakig.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [WinHubo Drivers] WINFINGER.EXE
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\RunOnce: [WinHubo Drivers] WINFINGER.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: ConferenceRoom Java Client - http://chat.privatef...000/java/cr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip....ro64_loader.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.co...aploader_v5.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - http://activex.micro...eb/ikcntrls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ADED60C9-9F88-4485-BDBC-60AF3F29726E}: NameServer = 213.120.62.104 213.120.62.97

Is it getting better? Today has been ok apart from the odd ebay pop up but I didnt think that mattered as I was already on ebay. Thanks again for this.

Regards

Chris

#6 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 28 June 2004 - 11:55 AM

It looks good Chris, no sign left of Peper or any other malware.

I've got some OPTIONAL fixes if you're interested.

You are using Download Accelerator (DAP) which is not technically malware, but it may include malware and allow it into your system. You can find safer alternatives here: http://www.spywarein...cat=dlman#dlman To remove it, fix this item with HJT and then remove it in Add/Remove Programs...

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

These items are considered to be resource hogs that may not be needed to run at startup and it may be worthwhile to fix them with HJT. You will still be able to start them manually if you need them...

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe


If you choose to remove these, just check them in HJT and click Fix Checked.

Otherwise, everything looks fine.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#7 chris1977

chris1977

    Member

  • New Member
  • Pip
  • 4 posts

Posted 29 June 2004 - 05:14 AM

Fire Flyer,

I cannot thank you enough. You have been brilliant and I could never have done this without your help. What do I have to do to send you a donation or a gift? You have no doubt saved me a fortune and I am very grateful.

Thanks mate

Chris.

#8 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 29 June 2004 - 01:28 PM

Chris,

Thank you for the kind words. I get my rewards just defeating the work of these malware makers. I'm probably every bit as happy as you are that your system is free from their clutches.

If you are interested in donating to SpywareInfo, click here for info on how you can do it.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button