Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.backdoor.agent / Win32.trojan.spy


  • Please log in to reply
10 replies to this topic

#1 Dave J Spencer

Dave J Spencer

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 18 February 2008 - 09:36 AM

Have run cleanmgr to clear out all temp files, run Ad-Aware And Spybot S&D. Scanned with Norton Anti-Virus in both safe mode and normal mode run McAfee Avert Stinger am now posting HijackThis log in the hope of ridding my computer of these nasties.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:07:19, on 18/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\csrss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\system32\spoolsv.exe
I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
I:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
I:\PROGRA~1\COSIDS\BIN\TbMux32.exe
I:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
I:\ElsaWin\bin\LcSvrAdm.exe
I:\ElsaWin\bin\LcSvrDba.exe
I:\ElsaWin\bin\LcSvrHis.exe
I:\ElsaWin\bin\LcSvrKdS.exe
I:\ElsaWin\bin\LcSvrPas.exe
I:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
I:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
I:\WINDOWS\system32\svchost.exe
I:\Program Files\Canon\CAL\CALMAIN.exe
I:\ElsaWin\bin\LcSvrAuf.exe
I:\WINDOWS\system32\wscntfy.exe
I:\WINDOWS\System32\alg.exe
I:\WINDOWS\explorer.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Documents and Settings\Dave\Desktop\HiJackThis.exe
I:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
F3 - REG:win.ini: run="I:\WINDOWS\system32\winupdate.exe"
F2 - REG:system.ini: UserInit=I:\WINDOWS\system32\userinit.exe,I:\WINDOWS\system32\ntos.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: WebCGMHlprObj Class - {56B38F40-4E70-11d4-A076-0080AD86BA2F} - I:\WINDOWS\cgmopenbho.dll
O2 - BHO: (no name) - {573613D5-6E43-4E16-A3AC-A7A5BBC20AA2} - I:\WINDOWS\system32\geebc.dll (file missing)
O2 - BHO: {8f87e3cf-4cc8-91aa-5544-ecf82f0e0186} - {6810e0f2-8fce-4455-aa19-8cc4fc3e78f8} - I:\WINDOWS\system32\emydknis.dll (file missing)
O2 - BHO: (no name) - {93204460-DB2D-4FAA-89BD-9A8635A61720} - I:\WINDOWS\system32\mljgf.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [vptray] I:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "I:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] I:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] I:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - I:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - I:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - I:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - I:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179341719390
O16 - DPF: {737D14F8-4090-11D4-AE0E-0010830243BD} (SysVerChk Control) - http://pointa.autodesk.com/portal/lang/neutral/SysVerChk.ocx
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file:///I:/Program%20Files/AutoCAD%202002/AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file:///I:/Program%20Files/AutoCAD%202002/InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - http://pointa.autodesk.com/portal/lang/enu/InstFred.Ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file:///I:/Program%20Files/AutoCAD%202002/AcPreview.ocx
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O21 - SSODL: DrvSrv - {13547f57-17d5-4327-817e-d5c2501d8e4c} - I:\WINDOWS\Installer\{13547f57-17d5-4327-817e-d5c2501d8e4c}\DrvSrv.dll
O21 - SSODL: zip - {d076ca43-58ae-41e6-8516-05b7107a0dfc} - I:\WINDOWS\Installer\{d076ca43-58ae-41e6-8516-05b7107a0dfc}\zip.dll
O23 - Service: Adobe LM Service - Adobe Systems - I:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - I:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: CAILI - Unknown owner - I:\WINDOWS\system32\caili.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - I:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: COSIDS_TB - TransAction Software, D 81737 Munich - I:\PROGRA~1\COSIDS\BIN\TbMux32.exe
O23 - Service: DefWatch - Symantec Corporation - I:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ELSA Administration Service (LcSvrAdm) - Volkswagen AG - I:\ElsaWin\bin\LcSvrAdm.exe
O23 - Service: ELSA Auftragsverwaltungs Service (LcSvrAuf) - Volkswagen AG - I:\ElsaWin\bin\LcSvrAuf.exe
O23 - Service: ELSA DBA Server (LcSvrDba) - Volkswagen AG - I:\ElsaWin\bin\LcSvrDba.exe
O23 - Service: ELSA Historie Server (LcSvrHis) - Volkswagen AG - I:\ElsaWin\bin\LcSvrHis.exe
O23 - Service: ELSA KD-Nummern Server (LcSvrKds) - Volkswagen AG - I:\ElsaWin\bin\LcSvrKdS.exe
O23 - Service: ELSA PASS Server (LcSvrPAS) - Volkswagen AG - I:\ElsaWin\bin\LcSvrPas.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - I:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SentinelSuperProNet Server (SuperProServer) - Unknown owner - I:\WINDOWS\system32\spnsrvnt.exe (file missing)
O23 - Service: TIS 2000 Apache Web Server - Unknown owner - I:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe (file missing)

--
End of file - 7731 bytes

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 20 February 2008 - 09:49 AM

Hi Dave J Spencer and Welcome to the Bleeping Computer!

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

#3 Dave J Spencer

Dave J Spencer
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 20 February 2008 - 01:56 PM

Many thanks for getting back to me Cretemonster. I have followed your instructions, here are my MBAM and HijackThis logs.

MBAM log:

Malwarebytes' Anti-Malware 1.04
Database version: 383

Scan type: Quick Scan
Objects scanned: 35867
Time elapsed: 5 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 30
Registry Values Infected: 4
Registry Data Items Infected: 1
Folders Infected: 3
Files Infected: 38

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
I:\WINDOWS\Installer\{13547f57-17d5-4327-817e-d5c2501d8e4c}\DrvSrv.dll (Trojan.Alphabet) -> Unloaded module successfully.
I:\WINDOWS\Installer\{246934b5-1d7a-4b90-8427-b6a14c635bbe}\zip.dll (Trojan.Alphabet) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{13547f57-17d5-4327-817e-d5c2501d8e4c} (Trojan.Alphabet) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{246934b5-1d7a-4b90-8427-b6a14c635bbe} (Trojan.Alphabet) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{02910a3c-5d77-4a3e-8a13-fdf81ac7fecd} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0485b9a3-61d4-40a9-82ee-5b8b6bd51a58} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{29143580-a3e7-4afb-a8ef-b88f3b56c5a3} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3eb2d5e5-ab7c-46db-950e-878cf812aa1c} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5caeb087-af31-494d-842d-39cf1c7adade} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5df8c005-6e2e-4bd6-a765-304a8e550ece} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{60659361-1c5f-4fa7-aeb0-f39df2547122} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6a97a178-3e84-45af-8f28-982c22e9a49d} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7d9351b3-4ebe-4f8f-981e-9af90ba99f54} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7e22e1d0-5af8-4fb8-a635-bd31b3308c71} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{821a05ed-bb06-4444-a1e0-f0ab21ff626d} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{886bacae-e094-4bde-912e-99c3a3ddd122} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8f290589-db12-447f-8f38-d24653ce9f13} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bad16ee0-5134-4dc2-bd33-46a557c93d36} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ec6671fe-7062-4f26-8383-4b887c4cb50b} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fc8db863-22bc-4382-ac7a-96fabfd95bb8} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8e9d2f33-4585-4404-aa57-15b2b03707f4} (Rogue.VirusProtectPro) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\E404.e404mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\DrvSrv (Trojan.Alphabet) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\zip (Trojan.Alphabet) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{9db30f1e-538b-4395-9e49-37c1429ab459} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor) -> Data: i:\windows\system32\ntos.exe -> Delete on reboot.

Folders Infected:
I:\WINDOWS\Installer\{13547f57-17d5-4327-817e-d5c2501d8e4c} (Trojan.Alphabet) -> Delete on reboot.
I:\WINDOWS\Installer\{246934b5-1d7a-4b90-8427-b6a14c635bbe} (Trojan.Alphabet) -> Delete on reboot.
I:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Delete on reboot.

Files Infected:
I:\WINDOWS\Installer\{13547f57-17d5-4327-817e-d5c2501d8e4c}\DrvSrv.dll (Trojan.Alphabet) -> Delete on reboot.
I:\WINDOWS\Installer\{246934b5-1d7a-4b90-8427-b6a14c635bbe}\zip.dll (Trojan.Alphabet) -> Delete on reboot.
I:\Program Files\tmp211953.exe (Rogue.Installer) -> Quarantined and deleted successfully.
I:\Program Files\tmp212234.exe (Rogue.Installer) -> Quarantined and deleted successfully.
I:\Program Files\tmp48953.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
I:\Program Files\tmp49000.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
I:\Program Files\tmp49015.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
I:\Program Files\tmp55937.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
I:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\0930FZQP\1203531675[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
I:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\OBLV0C9N\1203531676[2].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
I:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\QKYRMG1E\1203531682[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
I:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Delete on reboot.
I:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Delete on reboot.
I:\WINDOWS\system32\winupdate.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
I:\Program Files\tmp1908859.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
I:\Program Files\tmp1908906.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
I:\Program Files\tmp1909671.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
I:\Program Files\tmp1909718.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
I:\Program Files\tmp1911421.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
I:\Program Files\tmp192421.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
I:\Program Files\tmp192593.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
I:\Program Files\tmp196406.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
I:\Program Files\tmp196796.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
I:\Program Files\tmp2875796.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
I:\Program Files\tmp2878296.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
I:\Program Files\tmp2965453.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
I:\Program Files\tmp48328.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
I:\Program Files\tmp51343.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
I:\Program Files\tmp7955390.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
I:\Program Files\tmp80453.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
I:\Program Files\tmp81656.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
I:\Program Files\tmp81750.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
I:\Program Files\tmp87843.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
I:\Program Files\tmp87859.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
I:\Program Files\tmp90156.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
I:\Program Files\tmp9857562.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
I:\Program Files\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
I:\WINDOWS\system32\ntos.exe (Backdoor) -> Delete on reboot.




HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:47:47, on 20/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\Explorer.EXE
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\SOUNDMAN.EXE
I:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
I:\Program Files\Common Files\Real\Update_OB\realsched.exe
I:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
I:\Program Files\iTunes\iTunesHelper.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
I:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
I:\PROGRA~1\COSIDS\BIN\TbMux32.exe
I:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
I:\ElsaWin\bin\LcSvrAdm.exe
I:\ElsaWin\bin\LcSvrDba.exe
I:\ElsaWin\bin\LcSvrHis.exe
I:\ElsaWin\bin\LcSvrKdS.exe
I:\ElsaWin\bin\LcSvrPas.exe
I:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
I:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
I:\WINDOWS\system32\svchost.exe
I:\Program Files\Canon\CAL\CALMAIN.exe
I:\Program Files\iPod\bin\iPodService.exe
I:\ElsaWin\bin\LcSvrAuf.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
I:\WINDOWS\system32\NOTEPAD.EXE
I:\WINDOWS\system32\wuauclt.exe
I:\Documents and Settings\Dave\Desktop\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: WebCGMHlprObj Class - {56B38F40-4E70-11d4-A076-0080AD86BA2F} - I:\WINDOWS\cgmopenbho.dll
O2 - BHO: (no name) - {573613D5-6E43-4E16-A3AC-A7A5BBC20AA2} - I:\WINDOWS\system32\geebc.dll (file missing)
O2 - BHO: {8f87e3cf-4cc8-91aa-5544-ecf82f0e0186} - {6810e0f2-8fce-4455-aa19-8cc4fc3e78f8} - I:\WINDOWS\system32\emydknis.dll (file missing)
O2 - BHO: (no name) - {93204460-DB2D-4FAA-89BD-9A8635A61720} - I:\WINDOWS\system32\mljgf.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [vptray] I:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "I:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] I:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - I:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - I:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - I:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - I:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179341719390
O16 - DPF: {737D14F8-4090-11D4-AE0E-0010830243BD} (SysVerChk Control) - http://pointa.autodesk.com/portal/lang/neutral/SysVerChk.ocx
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file:///I:/Program%20Files/AutoCAD%202002/AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file:///I:/Program%20Files/AutoCAD%202002/InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - http://pointa.autodesk.com/portal/lang/enu/InstFred.Ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file:///I:/Program%20Files/AutoCAD%202002/AcPreview.ocx
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O23 - Service: Adobe LM Service - Adobe Systems - I:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - I:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: CAILI - Unknown owner - I:\WINDOWS\system32\caili.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - I:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: COSIDS_TB - TransAction Software, D 81737 Munich - I:\PROGRA~1\COSIDS\BIN\TbMux32.exe
O23 - Service: DefWatch - Symantec Corporation - I:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ELSA Administration Service (LcSvrAdm) - Volkswagen AG - I:\ElsaWin\bin\LcSvrAdm.exe
O23 - Service: ELSA Auftragsverwaltungs Service (LcSvrAuf) - Volkswagen AG - I:\ElsaWin\bin\LcSvrAuf.exe
O23 - Service: ELSA DBA Server (LcSvrDba) - Volkswagen AG - I:\ElsaWin\bin\LcSvrDba.exe
O23 - Service: ELSA Historie Server (LcSvrHis) - Volkswagen AG - I:\ElsaWin\bin\LcSvrHis.exe
O23 - Service: ELSA KD-Nummern Server (LcSvrKds) - Volkswagen AG - I:\ElsaWin\bin\LcSvrKdS.exe
O23 - Service: ELSA PASS Server (LcSvrPAS) - Volkswagen AG - I:\ElsaWin\bin\LcSvrPas.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - I:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SentinelSuperProNet Server (SuperProServer) - Unknown owner - I:\WINDOWS\system32\spnsrvnt.exe (file missing)
O23 - Service: TIS 2000 Apache Web Server - Unknown owner - I:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe (file missing)

--
End of file - 7283 bytes

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 21 February 2008 - 05:57 PM

Very Nice.. :thumbsup:


Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

O2 - BHO: (no name) - {573613D5-6E43-4E16-A3AC-A7A5BBC20AA2} - I:\WINDOWS\system32\geebc.dll (file missing)

O2 - BHO: {8f87e3cf-4cc8-91aa-5544-ecf82f0e0186} - {6810e0f2-8fce-4455-aa19-8cc4fc3e78f8} - I:\WINDOWS\system32\emydknis.dll (file missing)

O2 - BHO: (no name) - {93204460-DB2D-4FAA-89BD-9A8635A61720} - I:\WINDOWS\system32\mljgf.dll (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Id like to run a few scans and be sure we havent missed anything.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.


#5 Dave J Spencer

Dave J Spencer
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 22 February 2008 - 08:53 AM

Here are the contents of main.txt and extra.txt that you requested.

main.txt:

Deckard's System Scanner v20071014.68
Run by Dave on 2008-02-22 13:37:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-02-22 13:37:56 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Dave.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:40:43, on 22/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\Explorer.EXE
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\SOUNDMAN.EXE
I:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
I:\Program Files\Common Files\Real\Update_OB\realsched.exe
I:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
I:\Program Files\iTunes\iTunesHelper.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
I:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
I:\PROGRA~1\COSIDS\BIN\TbMux32.exe
I:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
I:\ElsaWin\bin\LcSvrAdm.exe
I:\ElsaWin\bin\LcSvrDba.exe
I:\ElsaWin\bin\LcSvrHis.exe
I:\ElsaWin\bin\LcSvrKdS.exe
I:\ElsaWin\bin\LcSvrPas.exe
I:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
I:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
I:\WINDOWS\system32\svchost.exe
I:\Program Files\Canon\CAL\CALMAIN.exe
I:\Program Files\iPod\bin\iPodService.exe
I:\ElsaWin\bin\LcSvrAuf.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\wuauclt.exe
I:\Documents and Settings\Dave\Desktop\dss.exe
I:\DOCUME~1\Dave\Desktop\Dave.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: WebCGMHlprObj Class - {56B38F40-4E70-11d4-A076-0080AD86BA2F} - I:\WINDOWS\cgmopenbho.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [vptray] I:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "I:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] I:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - I:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - I:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - I:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - I:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179341719390
O16 - DPF: {737D14F8-4090-11D4-AE0E-0010830243BD} (SysVerChk Control) - http://pointa.autodesk.com/portal/lang/neutral/SysVerChk.ocx
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file:///I:/Program%20Files/AutoCAD%202002/AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file:///I:/Program%20Files/AutoCAD%202002/InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - http://pointa.autodesk.com/portal/lang/enu/InstFred.Ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file:///I:/Program%20Files/AutoCAD%202002/AcPreview.ocx
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O23 - Service: Adobe LM Service - Adobe Systems - I:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - I:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: CAILI - Unknown owner - I:\WINDOWS\system32\caili.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - I:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: COSIDS_TB - TransAction Software, D 81737 Munich - I:\PROGRA~1\COSIDS\BIN\TbMux32.exe
O23 - Service: DefWatch - Symantec Corporation - I:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ELSA Administration Service (LcSvrAdm) - Volkswagen AG - I:\ElsaWin\bin\LcSvrAdm.exe
O23 - Service: ELSA Auftragsverwaltungs Service (LcSvrAuf) - Volkswagen AG - I:\ElsaWin\bin\LcSvrAuf.exe
O23 - Service: ELSA DBA Server (LcSvrDba) - Volkswagen AG - I:\ElsaWin\bin\LcSvrDba.exe
O23 - Service: ELSA Historie Server (LcSvrHis) - Volkswagen AG - I:\ElsaWin\bin\LcSvrHis.exe
O23 - Service: ELSA KD-Nummern Server (LcSvrKds) - Volkswagen AG - I:\ElsaWin\bin\LcSvrKdS.exe
O23 - Service: ELSA PASS Server (LcSvrPAS) - Volkswagen AG - I:\ElsaWin\bin\LcSvrPas.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - I:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SentinelSuperProNet Server (SuperProServer) - Unknown owner - I:\WINDOWS\system32\spnsrvnt.exe (file missing)
O23 - Service: TIS 2000 Apache Web Server - Unknown owner - I:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe (file missing)

--
End of file - 6865 bytes

-- HijackThis Fixed Entries (I:\DOCUME~1\Dave\Desktop\backups\) ----------------

backup-20080222-133726-177 O2 - BHO: (no name) - {93204460-DB2D-4FAA-89BD-9A8635A61720} - I:\WINDOWS\system32\mljgf.dll (file missing)
backup-20080222-133726-397 O2 - BHO: {8f87e3cf-4cc8-91aa-5544-ecf82f0e0186} - {6810e0f2-8fce-4455-aa19-8cc4fc3e78f8} - I:\WINDOWS\system32\emydknis.dll (file missing)
backup-20080222-133726-604 O2 - BHO: (no name) - {573613D5-6E43-4E16-A3AC-A7A5BBC20AA2} - I:\WINDOWS\system32\geebc.dll (file missing)

-- File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - %SystemRoot%\System32\CScript.exe "%1" %*
.scr - AutoCADScriptFile - shell\open\command - I:\WINDOWS\NOTEPAD.EXE "%1"
.vbs - VBSFile - shell\open\command - %SystemRoot%\System32\CScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 MASPINT - i:\windows\system32\drivers\maspint.sys <Not Verified; MicroStaff Co.,Ltd.; Aspi32 Driver for WinNT>
R2 Sentinel - i:\windows\system32\drivers\sentinel.sys
R3 Bonifay - i:\windows\system32\drivers\bonifay.sys <Not Verified; Freecom; Bonifay>

S1 4fdw - i:\windows\system32\4fdw.dll (file missing)
S3 autorun - c:\huadio.tmp (file missing)
S3 Gonzales - i:\windows\system32\drivers\gonzales.sys <Not Verified; Freecom; Gonzales>
S3 mapmem_dv - c:\mapmem.tmp (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "i:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 CCALib8 (Canon Camera Access Library 8) - i:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
R2 COSIDS_TB - i:\progra~1\cosids\bin\tbmux32.exe <Not Verified; TransAction Software, D 81737 Munich; TransBase/CD DataBase System>
R2 LcSvrAdm (ELSA Administration Service) - i:\elsawin\bin\lcsvradm.exe <Not Verified; Volkswagen AG; Volkswagen AG ® K-DOV-41>
R2 LcSvrDba (ELSA DBA Server) - i:\elsawin\bin\lcsvrdba.exe <Not Verified; Volkswagen AG; Volkswagen AG ® K-DOV-41>
R2 LcSvrHis (ELSA Historie Server) - i:\elsawin\bin\lcsvrhis.exe <Not Verified; Volkswagen AG; Volkswagen AG ® K-DOV-41>
R2 LcSvrKds (ELSA KD-Nummern Server) - i:\elsawin\bin\lcsvrkds.exe <Not Verified; Volkswagen AG; Volkswagen AG ® K-DOV-41>
R2 LcSvrPAS (ELSA PASS Server) - i:\elsawin\bin\lcsvrpas.exe <Not Verified; Volkswagen AG; ELSAWIN Application>
R3 LcSvrAuf (ELSA Auftragsverwaltungs Service) - i:\elsawin\bin\lcsvrauf.exe <Not Verified; Volkswagen AG; Volkswagen AG ® K-DOV-41>

S2 CAILI - i:\windows\system32\caili.exe
S2 SuperProServer (SentinelSuperProNet Server) - i:\windows\system32\spnsrvnt.exe (file missing)
S2 TIS 2000 Apache Web Server - i:\progra~1\cosids\apache~1\apache\apcht2kw.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-02-20 16:14:01 284 --a------ I:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-01-22 and 2008-02-22 -----------------------------

2008-02-21 21:29:48 0 d-------- I:\WINDOWS\system32\NtmsData
2008-02-20 18:31:35 0 d-------- I:\Documents and Settings\Dave\Application Data\Malwarebytes
2008-02-20 18:31:24 0 d-------- I:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-20 18:31:23 0 d-------- I:\Program Files\Malwarebytes' Anti-Malware
2008-02-16 21:43:21 0 d--h----- I:\Documents and Settings\Administrator\Templates
2008-02-16 21:43:21 0 dr------- I:\Documents and Settings\Administrator\Start Menu
2008-02-16 21:43:21 0 dr-h----- I:\Documents and Settings\Administrator\SendTo
2008-02-16 21:43:21 0 d--h----- I:\Documents and Settings\Administrator\Recent
2008-02-16 21:43:21 0 d--h----- I:\Documents and Settings\Administrator\PrintHood
2008-02-16 21:43:21 524288 --ah----- I:\Documents and Settings\Administrator\NTUSER.DAT
2008-02-16 21:43:21 0 d--h----- I:\Documents and Settings\Administrator\NetHood
2008-02-16 21:43:21 0 d-------- I:\Documents and Settings\Administrator\My Documents
2008-02-16 21:43:21 0 d--h----- I:\Documents and Settings\Administrator\Local Settings
2008-02-16 21:43:21 0 d-------- I:\Documents and Settings\Administrator\Favorites
2008-02-16 21:43:21 0 d-------- I:\Documents and Settings\Administrator\Desktop
2008-02-16 21:43:21 0 d--hs---- I:\Documents and Settings\Administrator\Cookies
2008-02-16 21:43:21 0 dr-h----- I:\Documents and Settings\Administrator\Application Data
2008-02-16 21:43:21 0 d---s---- I:\Documents and Settings\Administrator\Application Data\Microsoft
2008-02-15 20:30:11 0 d-------- I:\VundoFix Backups
2008-02-11 16:07:33 0 d-------- I:\Documents and Settings\Dave\AutoCad Resources
2008-02-11 09:51:55 0 d-------- I:\Documents and Settings\Dave\Application Data\Lavasoft
2008-02-10 17:25:20 0 d-------- I:\Documents and Settings\LocalService\Application Data\Help
2008-02-09 15:28:04 0 d-------- I:\Documents and Settings\Dave\Application Data\Autodesk
2008-02-03 19:15:06 31744 --a------ I:\WINDOWS\system32\Hlp95en.dll <Not Verified; Microsoft Corporation; Microsoft Office>
2008-02-03 19:15:06 446464 --a------ I:\WINDOWS\system32\hhactivex.dll <Not Verified; Blue Sky Software Corporation.; RoboHELP HTML 2000>
2008-02-03 19:15:05 487184 --a------ I:\WINDOWS\system32\Mrt7enu.dll <Not Verified; Microsoft Corporation; Microsoft Office>
2008-02-03 19:15:05 79360 --a------ I:\WINDOWS\system32\acdbres.dll
2008-02-03 19:14:30 0 d-------- I:\Program Files\Volo View Express
2008-02-03 15:25:36 111616 --a------ I:\WINDOWS\system32\Ltih30tb.dll <Not Verified; Lernout & Hauspie; NLI for RTF and HTML>
2008-02-03 15:25:36 225280 --a------ I:\WINDOWS\system32\awrtl30.dll <Not Verified; WexTech Systems, Inc.; AnswerWorks>
2008-02-03 15:25:35 0 d-------- I:\Program Files\WexTech
2008-02-03 15:25:35 0 d-------- I:\Program Files\Common Files\LHSPF
2008-02-03 12:48:46 45 --a------ I:\AUTOEXEC.BAT
2008-02-03 12:48:27 0 d-------- I:\Program Files\Common Files\Wextech Shared
2008-02-03 12:47:49 0 d-------- I:\Program Files\Common Files\Autodesk Shared
2008-02-03 12:47:49 0 d-------- I:\Program Files\AutoCAD 2002
2008-02-02 22:44:13 0 d-------- I:\WINDOWS\pss
2008-01-27 12:42:06 0 d-------- I:\WINDOWS\system32\20-20 Technologies
2008-01-24 21:57:51 0 d-------- I:\Program Files\Audacity
2008-01-24 20:06:40 0 d-------- I:\Program Files\MixMeister EZ Vinyl Converter


-- Find3M Report ---------------------------------------------------------------

2008-02-20 18:37:49 0 d-------- I:\Program Files\Common Files
2008-02-17 15:16:27 0 d-------- I:\Program Files\Enigma Software Group
2008-02-15 20:32:38 0 d-------- I:\Program Files\Java
2008-02-06 20:38:29 0 d-------- I:\Program Files\Common Files\Adobe
2008-01-27 12:42:11 2573 --a------ I:\WINDOWS\mozver.dat
2008-01-16 18:49:33 0 d-------- I:\Program Files\iTunes
2008-01-16 18:49:23 0 d-------- I:\Program Files\iPod
2008-01-16 18:47:44 0 d-------- I:\Program Files\QuickTime
2008-01-16 11:18:33 0 d-------- I:\Documents and Settings\Dave\Application Data\Logitech
2008-01-16 11:18:21 0 d-------- I:\Program Files\Common Files\LogiShared
2008-01-16 11:13:02 0 d-------- I:\Program Files\Common Files\Logitech
2008-01-16 11:12:35 0 d-------- I:\Program Files\Logitech
2008-01-16 11:12:34 0 d--h----- I:\Program Files\InstallShield Installation Information
2008-01-16 11:12:26 0 d-------- I:\Documents and Settings\Dave\Application Data\InstallShield
2008-01-03 18:50:57 0 d-------- I:\Program Files\LiveUpdate
2008-01-03 18:50:40 0 d-------- I:\Program Files\mobile PhoneTools
2007-12-30 20:21:16 0 d-------- I:\Program Files\CyberLink
2007-12-28 21:19:44 0 d-------- I:\Documents and Settings\Dave\Application Data\Adobe
2007-12-27 19:32:48 0 d-------- I:\Documents and Settings\Dave\Application Data\Leadertech
2007-12-26 21:01:53 0 d-------- I:\Program Files\Belkin


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [27/03/2003 08:34 I:\WINDOWS\SOUNDMAN.EXE]
"vptray"="I:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [21/05/2003 00:21]
"TkBellExe"="I:\Program Files\Common Files\Real\Update_OB\realsched.exe" [25/06/2007 13:47]
"AdaptecDirectCD"="I:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [10/09/2007 09:25]
"iTunesHelper"="I:\Program Files\iTunes\iTunesHelper.exe" [15/01/2008 03:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="I:\WINDOWS\system32\ctfmon.exe" [04/08/2004 00:56]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 I:\WINDOWS\system32\geebc.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\I:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=I:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=I:\WINDOWS\pss\Bluetooth.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\I:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=I:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=I:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\I:^Documents and Settings^Dave^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=I:\Documents and Settings\Dave\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=I:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"I:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"I:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"I:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop Optimize2 Reminder]
I:\Program Files\PCPitstop\Optimize2\Reminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"I:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
I:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\shicoxp]
I:\WINDOWS\shicoxp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
I:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"I:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{82698788-661c-11dc-a3a7-000d61a71600}]
AutoRun\command- L:\LaunchU3.exe




-- End of Deckard's System Scanner: finished at 2008-02-22 13:41:13 ------------



extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 2500+
Percentage of Memory in Use: 31%
Physical Memory (total/avail): 1535.48 MiB / 1050.69 MiB
Pagefile Memory (total/avail): 3435.14 MiB / 3143.24 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1923.75 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 35.46 GiB total, 14.09 GiB free.
D: is Fixed (NTFS) - 39.07 GiB total, 25.5 GiB free.
E: is Removable (No Media)
F: is Removable (No Media)
G: is CDROM (Unformatted)
H: is CDROM (Unformatted)
I: is Fixed (NTFS) - 232.88 GiB total, 189.49 GiB free.
J: is Removable (No Media)
K: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD2500JB-00REA0 - 232.88 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 232.88 GiB - I:

\\.\PHYSICALDRIVE1 - WDC WD800JB-00ETA0 - 74.53 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 35.46 GiB - C:
\PARTITION1 - Installable File System - 39.07 GiB - D:

\\.\PHYSICALDRIVE3 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE5 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE2 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntivirusOverride is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"I:\\Program Files\\Kinetic\\BaseStation\\BaseStation.exe"="I:\\Program Files\\Kinetic\\BaseStation\\BaseStation.exe:*:Enabled:BaseStation"
"I:\\Program Files\\Mozilla Firefox\\firefox.exe"="I:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Disabled:Firefox"
"I:\\Program Files\\iTunes\\iTunes.exe"="I:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"I:\\DOCUME~1\\Dave\\LOCALS~1\\Temp\\win6E.exe"="I:\\DOCUME~1\\Dave\\LOCALS~1\\Temp\\win6E.exe:*:Enabled:win6E"
"I:\\WINDOWS\\TEMP\\win14B.exe"="I:\\WINDOWS\\TEMP\\win14B.exe:*:Enabled:win14B"
"I:\\WINDOWS\\TEMP\\winF0B.exe"="I:\\WINDOWS\\TEMP\\winF0B.exe:*:Enabled:winF0B"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=I:\Documents and Settings\All Users
APPDATA=I:\Documents and Settings\Dave\Application Data
CLASSPATH=.;I:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=I:\Program Files\Common Files
COMPUTERNAME=POPS
ComSpec=I:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=I:
HOMEPATH=\Documents and Settings\Dave
LOGONSERVER=\\POPS
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=I:\WINDOWS\system32;I:\WINDOWS;I:\WINDOWS\System32\Wbem;I:\Program Files\Common Files\Adobe\AGL;I:\PROGRA~1\COSIDS;I:\Program Files\Common Files\Adaptec Shared\System;I:\Program Files\QuickTime\QTSystem\;I:\Program Files\Common Files\Autodesk Shared\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=I:\Program Files
PROMPT=$P$G
QTJAVA=I:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=I:
SystemRoot=I:\WINDOWS
TEMP=I:\DOCUME~1\Dave\LOCALS~1\Temp
TMP=I:\DOCUME~1\Dave\LOCALS~1\Temp
USERDOMAIN=POPS
USERNAME=Dave
USERPROFILE=I:\Documents and Settings\Dave
windir=I:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Dave (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> I:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{11E83B33-972B-4512-A447-FF0FD0246EE9}\setup.exe" -l0x9
--> RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{23EFDB58-0874-4883-9810-EDA510B19FAE}\setup.exe" -l0x9
--> RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{27B9131D-CEFA-42C5-8D7D-56EFD80BAA25}\setup.exe" -l0x9
--> RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{2BB79C8D-9DCC-4861-8A23-AE1B0B45E2B6}\setup.exe" -l0x9
--> RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{2BFBC62A-3353-443D-93BE-7AC641D9F342}\setup.exe" -l0x9
--> RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{5D1A81AA-ED90-11D6-86D3-00055DF3561E}\setup.exe" -l0x9
--> RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{B100B05B-E290-41EF-9366-8BC4C76D7769}\setup.exe" -l0x9
--> RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{B14F9B26-D695-4C4A-8B11-0FE6CDCC797B}\setup.exe" -l0x9
--> RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{BDFC3C8D-823E-4FCF-870B-E756B27CB57E}\setup.exe" -l0x9
--> RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{D3568156-59C3-42DF-A520-2C25B6706C91}\setup.exe" -l0x9
--> RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{E213C271-AEFA-481D-A9B4-914D88925B8D}\setup.exe" -l0x9
--> RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{FAD9402A-1A9B-4ABE-A410-393A3622FA5A}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 I:\WINDOWS\INF\PCHealth.inf
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 9 ActiveX --> I:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> I:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE I:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe Stock Photos 1.0 --> MsiExec.exe /I{EE0D5DCD-2B97-4473-98DF-E93C0BD92F7A}
Adobe® Photoshop® Album Starter Edition 3.2 --> MsiExec.exe /I{A654A805-41D9-40C7-AA46-4AF04F044D61}
AnswerWorks Runtime --> I:\WINDOWS\IsUninst.exe -f"I:\Program Files\WexTech\AnswerWorks\Uninst.isu"
Apple Mobile Device Support --> MsiExec.exe /I{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Audacity 1.2.6 --> "I:\Program Files\Audacity\unins000.exe"
AutoCAD 2002 --> MsiExec.exe /I{5783F2D7-0101-0409-0000-0060B0CE6BBA}
BaseStation --> MsiExec.exe /I{128F3FEA-B43F-442C-9961-2998F69F026D}
Belkin Bluetooth Software --> MsiExec.exe /X{3F4EC965-28EF-45C3-B063-04B25D4E9679}
Canon Camera Access Library --> "I:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "I:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library --> "I:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "I:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon Camera Window DC_DV 5 for ZoomBrowser EX --> "I:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "I:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Camera Window DC_DV 6 for ZoomBrowser EX --> "I:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "I:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Camera Window MC 6 for ZoomBrowser EX --> "I:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "I:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini"
CANON iMAGE GATEWAY Task for ZoomBrowser EX --> "I:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "I:\Program Files\Canon\ZoomBrowser EX\Program\CRWUnInstall.ini"
Canon Internet Library for ZoomBrowser EX --> "I:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "I:\Program Files\Canon\ZoomBrowser EX\Program\CIGUnInstall.ini"
Canon RAW Image Task for ZoomBrowser EX --> "I:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "I:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon RemoteCapture Task for ZoomBrowser EX --> "I:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "I:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities Digital Photo Professional 2.2 --> "I:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "I:\Program Files\Canon\Digital Photo Professional\Uninst.ini"
Canon Utilities EOS Utility --> "I:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "I:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities PhotoStitch --> "I:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "I:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities ZoomBrowser EX --> "I:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "I:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
CDDRV_Installer --> MsiExec.exe /I{8CC990CD-87C8-475C-AC32-8A7984E2FCFA}
Easy CD Creator 5 Platinum --> MsiExec.exe /I{8851E12C-0EF9-11D4-A788-009027ABA5D0}
ElsaWin --> I:\WINDOWS\uninst.exe -fI:\ElsaWin\DeIsL1.isu -c"I:\ElsaWin\bin\UNINST.DLL"
EPSON Copy Utility --> RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{B69CC1A5-0404-11D6-ABCB-005004C21D30}\setup.exe" -l0x9 ADDREMOVEDLG
EPSON Photo Print --> RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{9391F2BC-B6F3-4AAC-82CC-5A74A4ED388E}\setup.exe" -l0x9 MyUninstall
EPSON Scan --> RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{0E0131B2-CF18-40D9-A331-60A3746C1204}\SETUP.EXE" -l0x9 UNINSTALL
EPSON Smart Panel --> RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{6C11D561-620B-47DA-A693-4C597F3CDF40}\SETUP.EXE" -l0x9 Uninstall
EZ Vinyl Converter by MixMeister 1.0.5 --> "I:\Program Files\MixMeister EZ Vinyl Converter\unins000.exe"
FinePixViewer Ver.4.2 --> RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{24ED4D80-8294-11D5-96CD-0040266301AD}\SETUP.EXE"
Freecom Backup Software 1.15 --> "I:\Program Files\Freecom Backup Software\unins000.exe"
Freecom Personal Media Suite 2.24 --> "I:\Program Files\Freecom Personal Media Suite\unins000.exe"
FTDI USB Serial Converter Drivers --> I:\WINDOWS\system32\ftdiunin.exe I:\WINDOWS\system32\ftdiun2k.ini
FUJIFILM USB Driver --> RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{5490882C-6961-11D5-BAE5-00E0188E010B}\SETUP.EXE"
Google Earth --> MsiExec.exe /I{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}
HijackThis 2.0.2 --> "I:\Documents and Settings\Dave\Desktop\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "I:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
ImageMixer VCD2 for FinePix --> RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{934E9442-D305-4ACF-AD87-A6C11D677CB9}\setup.exe"
iTunes --> MsiExec.exe /I{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}
Java Servlet Development Kit 2.0 --> I:\WINDOWS\uninst.exe -fI:\JSDK2.0\DeIsL1.isu
KhalInstallWrapper --> MsiExec.exe /I{56918C0C-0D87-4CA6-92BF-4975A43AC719}
LiveUpdate 1.80 (Symantec Corporation) --> I:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
LiveUpdate BVRP Software --> RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe" -l0x9
Logitech Registration --> MsiExec.exe /I{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}
Logitech SetPoint --> I:\Program Files\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe -runfromtemp -l0x0009 -removeonly
Malwarebytes' Anti-Malware --> "I:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft AutoRoute 2002 --> MsiExec.exe /I{F7F2DC0A-C22E-49AD-AD37-797309A54E7B}
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "I:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "I:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
MicroStaff WINASPI --> I:\MWASPI\uninst.exe
mobile PhoneTools --> RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{F18E8A0F-BE99-4305-96A5-6C0FD9D7D999}\setup.exe" -l0x9
Mozilla Firefox (2.0.0.11) --> I:\Program Files\Mozilla Firefox\uninstall\helper.exe
oggcodecs 0.71.0946 --> I:\Program Files\illiminable\oggcodecs\uninst.exe
PowerDVD --> RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}
RAW FILE CONVERTER LE --> RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{D680C913-5955-469D-9D88-C1940F7506D6}\SETUP.EXE" -l0x9
RealPlayer --> I:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
ScanToWeb --> RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}\setup.exe" ADDREMOVEDLG
Sentinel System Driver --> I:\WINDOWS\SYSTEM32\RNBOSENT\SETUPX86.EXE /U /q
Sky Broadband --> MsiExec.exe /I{14C35072-D7D0-4B29-B5BF-C94E426D77E9}
Spybot - Search & Destroy 1.4 --> "I:\Program Files\Spybot - Search & Destroy\unins000.exe"
Symantec AntiVirus Client --> MsiExec.exe /X{0EFC6259-3AD8-4CD2-BC57-D4937AF5CC0E}
ToolBedView --> MsiExec.exe /I{A680FC43-4EC9-4F7A-B02C-9241F17FCB15}
USB Mass Storage Reader --> RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{F2DD7B9B-4384-4131-A79C-804D6E0564BD}\Setup.exe" -l0x9
Volo View Express --> I:\WINDOWS\uninst.exe -f"I:\Program Files\Volo View Express\DeIsL1.isu"
WinAce Archiver --> I:\Program Files\WinAce\SXUNINST.EXE I:\Program Files\WinAce\SXUNINST.INI
Windows Media Format 11 runtime --> "I:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type10198 / Error
Event Submitted/Written: 02/20/2008 06:22:01 PM
Event ID/Source: 5 / Norton AntiVirus
Event Description:
Virus Found!Virus name: Downloader.MisleadApp in File: I:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\HC2D7YT3\1203531677[1].exe by: Realtime Protection scan. Action: Clean failed : Quarantine failed : Access denied

Event Record #/Type10145 / Warning
Event Submitted/Written: 02/17/2008 07:54:01 PM
Event ID/Source: 6 / Norton AntiVirus
Event Description:
Scan could not access path C:\WINNT\$NtServicePackUninstall$\msdaurl.dll

Event Record #/Type10144 / Warning
Event Submitted/Written: 02/17/2008 07:54:01 PM
Event ID/Source: 6 / Norton AntiVirus
Event Description:
Scan could not access path C:\WINNT\$NtServicePackUninstall$\msdatt.dll

Event Record #/Type10143 / Warning
Event Submitted/Written: 02/17/2008 07:54:01 PM
Event ID/Source: 6 / Norton AntiVirus
Event Description:
Scan could not access path C:\WINNT\$NtServicePackUninstall$\msdatsrc.tlb

Event Record #/Type10142 / Warning
Event Submitted/Written: 02/17/2008 07:54:01 PM
Event ID/Source: 6 / Norton AntiVirus
Event Description:
Scan could not access path C:\WINNT\$NtServicePackUninstall$\msdatl3.dll



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type20622 / Error
Event Submitted/Written: 02/22/2008 01:36:05 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The TIS 2000 Apache Web Server service failed to start due to the following error:
%%2

Event Record #/Type20621 / Error
Event Submitted/Written: 02/22/2008 01:36:05 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The SentinelSuperProNet Server service failed to start due to the following error:
%%2

Event Record #/Type20620 / Error
Event Submitted/Written: 02/22/2008 01:36:05 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The CAILI service failed to start due to the following error:
%%1053

Event Record #/Type20619 / Error
Event Submitted/Written: 02/22/2008 01:36:05 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the CAILI service to connect.

Event Record #/Type20584 / Error
Event Submitted/Written: 02/22/2008 09:56:50 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The TIS 2000 Apache Web Server service failed to start due to the following error:
%%2



-- End of Deckard's System Scanner: finished at 2008-02-22 13:41:13 ------------

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 22 February 2008 - 08:36 PM

How well do you do working in the resgitry?

For now,get to the command prompt-> Start--Run--Type in cmd and click ok.

Once command prompt is up,type in the following--> sc delete 4fdw

i:\windows\system32\4fdw.dll<-- Confirm this file is gone please.

2 other drivers Im not so familiar with,maybe you can shed some light on these.

S3 autorun - c:\huadio.tmp (file missing)

S3 mapmem_dv - c:\mapmem.tmp (file missing)



Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


#7 Dave J Spencer

Dave J Spencer
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 23 February 2008 - 04:04 PM

Cretemonster

Have followed your instructions to delete 4fdw.dll and had confirmation that the file was deleted sucessfully, have also checked the system32 folder from the command prompt and windows search facility. The two drivers you had concerns about I cannot shed any light on, other than do an Internet search and find that both files have not been digitally signed by Microsoft and have no security file rating.

I note that the F-Secure Online Scanner is for Internet Explorer only I normally run Firefox as my default browser how should I now proceed with this scan, I await your instructions.

Regards Dave Spencer

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 24 February 2008 - 01:46 PM

Not sure which scanners will work in Firefox,try the TrendMicro Scan
http://housecall.trendmicro.com/

#9 Dave J Spencer

Dave J Spencer
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 25 February 2008 - 08:40 AM

Have run the Trend MicroScan, this scan picked several infections.vulnerabilities and a trojan and most were automatically deleted one of the infections required a manual deletion of the file and the two vulnerabilities reqd a software update. After completion of these items have run the Trend Microscan again this time resulting in finding some tracking cookies which have been subsequently deleted. Is it necessary to run the MicroScan again as it takes aproximately 4hrs. to complete?

Best regards

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 27 February 2008 - 07:43 AM

I think you are going to be just fine and dandy now.

Now we need to reset System Restore and Clear out all the old infected restore points.
  • Click Start
  • Right-Click "My Computer" and Select Properties.
  • Click on the "System Restore" tab.
  • Place a checkmark in the box for "Turn off System Restore" and Click "Apply."
  • Restart the Computer.
  • Return to System Restore and Uncheck the box for "Turn off System Restore" and Click "Apply."
  • A fresh Restore Point will be created.
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Windows, Internet Explorer and Microsoft Office Updates

Visit Microsoft's Windows Update Site frequently. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

If you are running Microsoft Office, or any application of it, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed.

If you have trouble with Windows Update, you still can get all the Critical Updates, Security Fixes and Service Packs. Below are a few links to bookmark.

Microsoft Security Bulletins
http://www.microsoft.com/technet/security/current.aspx

Office downloads
http://office.microsoft.com/en-us/officeupdate/default.aspx

Download Center
http://www.microsoft.com/downloads/search.aspx

Microsoft Security Advisories
http://www.microsoft.com/technet/security/...ry/default.mspx

Recently Published
http://www.microsoft.com/technet/security/...nt/default.mspx

Programs that may help you in keeping the PC clean

MalwareBytes Anti-Malware can be found Here or Here
  • The full version provides a degree of real-time protection along with other solutions against spyware that is a great addition to any computer.
  • The free version can be updated and used for scanning your computer weekly for new malware.
ERUNT(The Emergency Recovery Utility for NT) can be found Here or Here
  • You can use this utility as a primary registry backup utility, apart from System Restore.
  • Two methods of registry backup ( System Restore and using ERUNT ) is often recommended.
  • Detailed usage can be found Here
It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See the link below for a listing of some online & their stand-alone antivirus programs.
Computer Safety On line - Anti-Virus
http://forum.malwareremoval.com/viewtopic.php?p=53#53

Update your Anti Virus Software

It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall

I can not stress enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below.
Computer Safety On line - Software Firewalls
http://forum.malwareremoval.com/viewtopic.php?p=56#56
A tutorial on Understanding and Using Firewalls can be found here

Additional Information

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link.

A very nice collection of tutorials is available at Bleeping Computer
http://www.bleepingcomputer.com/tutorials/

Finally, after following up on all these recommendations, run Jason Levine's Browser Security Tests ?
They will provide you with an insight on how vulnerable you might still be to a number of common exploits.
http://www.jasons-toolbox.com/BrowserSecurity/

Other Security checks and more sites relating to computer security are listed below, take the time to visit these when you have time.
Symantec Security Check
Gibson Research Corporation Home Page (Look for the Hot Spots Section)
McAfee SiteAdvisor
LinkScanner
GFI Email Security Testing Zone

#11 Dave J Spencer

Dave J Spencer
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 29 February 2008 - 04:32 PM

Cretemonster

Many thanks for all your help with cleaning up my computer. I have followed your comments in the last post and read through several of the tutorials on this forum about maintaining a clean infection free computer, following on from that I have also downloaded SpywareGuard to help protect whilst browsing. Once again many thanks for your help.

Best Regards

Dave Spencer




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users