Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan,Powerscan,malware infestation


  • This topic is locked This topic is locked
13 replies to this topic

#1 Biofriendly

Biofriendly

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 24 June 2005 - 01:23 PM

Please can you help?
My neighbours computer has been infected, it all started when he was browsing the
Net. A popup opened and AVG picked up a Trojan horse Collected.AF, it could not be healed, deleted e.t.c and files were copied to the local settings\temp folder.
I deleted the temp folder contents, and noticed a new program had been installed
called Powerscan, this was removed using Add/Remove programs. The PC was restarted and a powerscan program started up after closing and uninstallation I
ran AVG (no virus found), Spybot S+D (found various malware Inc Powerscan and
ISearchTech), Ad-Aware (found similar problems), these were all removed successfully. I ran these programs again after restarting and no problems were found.
However now when connecting to the internet the browser opens up a web page called corn on the cob and again AVG picks up the same Trojan, I end the task and disconnect but the network connection window opens either saying that pwnage.xtremepower.info. or competone.com wants to connect. This persists
after selecting cancel until you restart the PC.
I have updated all above security sotware and tried spyware blaster and winpatrol
and a system restore (this cannot be done).
Looking at the running processes I noticed the l9ol.exe and tried ending the process, this allowed me to connect to the internet without the corn on the cob installer window opening, but upon disconnecting the network connection window opens either saying that pwnage.xtremepower.info. or competone.com wants to connect.
Please, please, please cure this problem.
Thanks
P.s Sorry if message is to long and boring.

Logfile of HijackThis v1.99.1
Scan saved at 17:53:50, on 24/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
C:\WINDOWS\System32\msdesk32.exe
C:\l9ol.exe
C:\wanadoo\wanadooconnectionkit\atdialler1.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\BT Broadband Help\bin\mpbtn.exe
C:\Documents and Settings\Gorman\My Documents\Highjackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/cd_redirects/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [Microsoft Desktop Manager] msdesk32.exe
O4 - HKLM\..\Run: [REGRUN] C:\l9ol.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\RunServices: [Microsoft Desktop Manager] msdesk32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wanadoo Connection Kit.lnk = C:\wanadoo\wanadooconnectionkit\atdialler1.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Help\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:38 AM

Posted 24 June 2005 - 11:27 PM

Hello Biofriendly and welcome to the BC forums. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.

Step #1

Download CCleaner and install it but do not run it yet.

Step #2

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O4 - HKLM\..\Run: [Microsoft Desktop Manager] msdesk32.exe
O4 - HKLM\..\Run: [REGRUN] C:\l9ol.exe
O4 - HKLM\..\RunServices: [Microsoft Desktop Manager] msdesk32.exe

I question this item for a Wanadoo dialup connection. It appears that you have BT broadband so if this is no longer needed you can check it also. Even if you still use Wanadoo this does not have to startup at bootup, you can still remove this and start it as needed:O4 - Global Startup: Wanadoo Connection Kit.lnk = C:\wanadoo\wanadooconnectionkit\atdialler1.exe
Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\System32\msdesk32.exe
C:\l9ol.exe

Step #5

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Reboot normally and run at least 2 of the following on-line virus scans:Trend Micro Housecall
BitDefender On-Line Virus Scan
Panda ActiveScan
eTrust Antivirus Web Scanner
Make sure that you choose "fix", "clean" or "autoclean". If you have any files that cannot be disinfected or quarantined automatically then delete them manually.

Step #7

AdAware SE v1.06

Download, install, update, configure and run a scan with Ad-aware SE v1.06:
  • Download and Install AdAware SE Personal, keeping the default options. However, some of the settings will need to be changed before your first scan.
  • Close ALL windows except Ad-Aware SE.
  • Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
  • Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
    • In the ‘General’ window make sure the following are selected in green:
      • Under Safety:
        • Automatically save log-file
      • Automatically quarantine objects prior to removal
      • Safe Mode (always request confirmation)
    • Under Definitions:
      • Prompt to update outdated definitions - set the number of days
  • Click on the ‘Scanning’ button on the left and select in green:
    • Under Driver, Folders & Files:
      • Scan Within Archives
    • Under Select drives & folders to scan:
      • choose all hard drives
    • Under Memory & Registry: all green
      • Scan Active Processes
      • Scan Registry
      • Deep Scan Registry
      • Scan my IE favorites for banned URL’s
      • Scan my Hosts file
  • Click on the ‘Advanced’ button on the left and select in green:
    • Under Shell Integration:
      • Move deleted files to recycle bin
    • Under Logfile Detail Level: all green
      • include addtional object information
      • DESELECT - include negligible objects information
      • include environment information
    • Under Alternate Data Streams:
      • Don't log streams smaller than 0 bytes
      • Don't log ADS with the following names: CA_INOCULATEIT
  • Click the ‘Tweak’ button and select in green:
    • Under ‘Scanning Engine’:
      • Unload recognized processes during scanning
      • Scan registry for all users instead of current user only
    • Under ‘Cleaning Engine’:
      • Let Windows remove files in use at next reboot
    • Under Log Files:
      • Include basic Ad-aware SE settings in logfile
      • Include additional Ad-aware SE settings in logfile
      • Please do not check: Include Module list in logfile
  • Click on ‘Proceed’ to save the settings.
  • Click ‘Start’
  • Choose 'Perform Full System Scan'
  • DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
  • Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
  • If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
  • Right-click on the list and choose Select All
  • Click the Next button to finish removing the items that were found
  • When finished, REBOOT to complete the removal of what Ad-Aware SE found
Step #8

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 Biofriendly

Biofriendly
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 26 June 2005 - 10:32 AM

Thanks so much OldTimer for spending your time analysing the log.
I followed your instructions and the system seems to be OK now.
Below is information on the on-line virus scans:-

Trend Micro Housecall

1st Scan

WORM RBOT.GEN - Non Cleanable C:\WINDOWS\SYSTEM32\svghost.exe

WORM AGOBOT.AQX - Non Cleanable C:\WINDOWS\SYSTEM32\wuamkops.exe

WORM RBOT.GEN - Non Cleanable C:\System Volume Information\_restore

2nd Scan

WORM RBOT.GEN - Can Not Access C:\WINDOWS\SYSTEM32\winbog32.exe
cannot delete currently in use

WORM RBOT.GEN - Non Cleanable C:\System Volume Information\_restore

WORM AGOBOT.AQX - Non Cleanable C:\System Volume Information\_restore

3rd Scan

WORM RBOT.GEN - Non Cleanable C:\System Volume Information\_restore

4th Scan

CLEAN!

BitDefender On-Line Virus Scan

1st Scan

Dropped:Trojan.Muldrop.2.0.4 - Deleted - C:\System Volume Information\_restore

Trojan.LowZones.BS - Deleted C:\gomomma.exe

2nd Scan

Trojan.LowZones.BS - Deleted C:\System Volume Information\_restore

3rd Scan

CLEAN!

For the C:\WINDOWS\SYSTEM32\winbog32.exe file I had to end the process in task manager before I could manually delete the infected file.

I also ran the Panda Active scan which found and deleted a virus but could not remove the spyware:-

Incident Status Location

Adware:Adware/CWS No disinfected C:\Documents and Settings\Gorman\Favorites\Fun & Games
Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\YSBactivex.???
Virus:Trj/Agent.WB Disinfected C:\WINDOWS\SYSTEM32\TFTP1552
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\Downloaded Program Files\YSBactivex.dll
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\YSBactivex.dll
The above spyware was still detected on the second panda scan also.
Ad-aware did not detect the above spyware either or any spyware for that matter.
Upon opening the C:\WINDOWS\Downloaded Program Files, none of the above files were present, I did however delete the Favourites\Fun & Games folder

One more thing, the C: drive also contained a file (C:\l98ol) which was created at about the same time as the (C:\l9ol) and the (C:\gomamma) files.Should I delete
this file also.

Here is the new log file for analysis
Thanks again

Logfile of HijackThis v1.99.1
Scan saved at 15:35:50, on 26/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\BT Broadband Help\bin\mpbtn.exe
C:\Documents and Settings\Gorman\My Documents\Highjackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/cd_redirects/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [Windows CPU host] winbog32.exe
O4 - HKLM\..\RunServices: [Windows CPU host] winbog32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Help\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:38 AM

Posted 26 June 2005 - 02:46 PM

Hi Biofriendly. Let's do a different scan to see if there is anything hiding which might not be showing up in the HijackThis log.

Download PFind.zip and unzip the contents to its own permanent folder.

Important! Reboot in SAFE MODE !!

Start in Safe Mode Using the F8 method:
  • Restart the computer in Safe Mode.
  • As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the pfind.bat file and double-click it to run it. It will start scanning your computer and could take a little while so be patient. When the DOS window closes, reboot back to normal mode.

Post the contents of C:\pfind.txt back here and I will review it when it comes in.

Also, your operating system is extremely out of date. By not keeping your OS updated you leave yourself open to many of the infections that cannot be installed on a properly updated system. I strongly recommend that you go to the Windows Update site and install Service Pack 2. Once that is done, go back to the Windows Update site and install all available Critical Updates. This will patch your system with the most current security fixes and plug all the known holes which your present system has open.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 Biofriendly

Biofriendly
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 27 June 2005 - 10:18 AM

Hello, here is the pfind.txt file as requested.
I will update their OS to SP2 tonight.
Thanks very much

Files found with this application may be legitimate.
Only remove files that you know are malware related.


Checking the C: folder



Checking the C:\Program Files folder



Checking the C:\WINDOWS folder

C:\WINDOWS\vsapi32.dll: UPX!t4
C:\WINDOWS\tsc.exe: UPX!


Checking the C:\WINDOWS\SYSTEM32 folder

C:\WINDOWS\SYSTEM32\DivX.dll: PEC2
C:\WINDOWS\SYSTEM32\DivX.dll: PECompact2


Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder

C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: error finding UPX! header
C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: FSG!u1
C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: UPX!


Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\All Users\Application Data folder




Checking the C:\Documents and Settings\Gorman\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\Gorman\Application Data folder




Checking the Windows folder for system and hidden files within the last 60 days


C:\WINDOWS\
hwinfo.dat Tue 17 May 2005 20:44:22 ...HR 213,024 208.03 K
folder.htt Tue 17 May 2005 20:44:02 ...H. 12,746 12.45 K
ttfcache Tue 17 May 2005 20:42:32 A..H. 2,969 2.90 K
window~1.man Tue 17 May 2005 21:07:42 A..HR 749 0.73 K
bootstat.dat Mon 27 Jun 2005 12:43:24 A.S.. 2,048 2.00 K

C:\WINDOWS\SYSTEM32\
folder.htt Tue 17 May 2005 20:44:02 ...H. 12,746 12.45 K
ncpacp~1.man Tue 17 May 2005 21:07:42 A..HR 749 0.73 K
nwccpl~1.man Tue 17 May 2005 21:07:42 A..HR 749 0.73 K
sapicp~1.man Tue 17 May 2005 21:07:42 A..HR 749 0.73 K
wuaucp~1.man Tue 17 May 2005 21:07:42 A..HR 749 0.73 K
cdplay~1.man Tue 17 May 2005 21:07:42 A..HR 749 0.73 K
logonu~1.man Tue 17 May 2005 21:07:46 A..HR 488 0.48 K
window~1.man Tue 17 May 2005 21:07:46 A..HR 488 0.48 K

C:\WINDOWS\HELP\
windows.gid Tue 17 May 2005 20:43:36 ...H. 9,793 9.56 K

C:\WINDOWS\FONTS\
desktop.ini Tue 17 May 2005 21:08:24 A.SH. 67 0.06 K

C:\WINDOWS\WEB\
wvlogo.gif Tue 17 May 2005 20:44:02 ...H. 19,600 19.14 K
controlp.htt Tue 17 May 2005 20:44:02 ...H. 4,204 4.11 K
folder.htt Tue 17 May 2005 20:44:02 ...H. 11,530 11.26 K
mycomp.htt Tue 17 May 2005 20:44:02 ...H. 4,988 4.87 K
printers.htt Tue 17 May 2005 20:44:02 ...H. 5,044 4.93 K
webview.css Tue 17 May 2005 20:44:02 ...H. 855 0.83 K
default.htt Tue 17 May 2005 20:44:02 ...H. 14,258 13.92 K
nethood.htt Tue 17 May 2005 20:44:02 ...H. 5,403 5.27 K
recycle.htt Tue 17 May 2005 20:44:02 ...H. 8,088 7.90 K
schedule.htt Tue 17 May 2005 20:44:02 ...H. 5,495 5.36 K
dialup.htt Tue 17 May 2005 20:44:02 ...H. 5,521 5.39 K
wvleft.bmp Tue 17 May 2005 20:44:02 ...H. 44,686 43.64 K
wvline.gif Tue 17 May 2005 20:44:02 ...H. 840 0.82 K

C:\WINDOWS\TASKS\
sa.dat Mon 27 Jun 2005 12:42:22 A..H. 6 0.00 K

C:\WINDOWS\DOWNLO~1\
desktop.ini Tue 17 May 2005 21:07:46 ...H. 65 0.06 K

C:\WINDOWS\REPAIR\
ntuser.dat Tue 17 May 2005 21:09:14 A..H. 360,448 352.00 K

C:\WINDOWS\OFFLIN~1\
desktop.ini Tue 17 May 2005 21:07:46 ...H. 65 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\
system.log Mon 27 Jun 2005 12:42:24 A..H. 700,416 684.00 K
software.log Mon 27 Jun 2005 12:42:24 A..H. 90,112 88.00 K
default.log Mon 27 Jun 2005 12:42:24 A..H. 8,192 8.00 K
userdiff.log Tue 17 May 2005 21:00:50 A..H. 1,024 1.00 K
tempkey.log Tue 17 May 2005 21:00:48 A..H. 1,024 1.00 K
sam.log Mon 27 Jun 2005 12:43:36 A..H. 1,024 1.00 K
security.log Mon 27 Jun 2005 12:43:26 A..H. 12,288 12.00 K

C:\WINDOWS\PCHEALTH\HELPCTR\PACKAG~1\
packag~1.cab Tue 17 May 2005 21:08:02 ..SHR 242,478 236.79 K
packag~2.cab Tue 17 May 2005 21:08:02 ..SHR 19,959 19.49 K
packag~3.cab Tue 17 May 2005 21:08:02 ..SHR 727 0.71 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\
desktop.ini Tue 17 May 2005 21:01:58 A.SH. 62 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\
desktop.ini Tue 17 May 2005 21:01:58 A.SH. 62 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\SENDTO\
desktop.ini Tue 17 May 2005 21:07:48 A.SH. 181 0.18 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\APPLIC~1\
desktop.ini Tue 17 May 2005 21:01:58 A.SH. 62 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\HISTORY\
desktop.ini Tue 17 May 2005 21:08:06 A.SH. 113 0.11 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\
desktop.ini Tue 17 May 2005 21:08:06 A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\PROGRAMS\
desktop.ini Tue 17 May 2005 21:08:48 A.SH. 206 0.20 K

C:\WINDOWS\SYSTEM32\MICROS~1\PROTECT\S-1-5-18\USER\
ccbfad~1 Tue 17 May 2005 21:14:44 A.SH. 388 0.38 K
prefer~1 Tue 17 May 2005 21:14:44 A.SH. 24 0.02 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\HISTORY\HISTORY.IE5\
desktop.ini Tue 17 May 2005 21:08:06 A.SH. 113 0.11 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\
desktop.ini Tue 17 May 2005 21:08:06 A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\PROGRAMS\ACCESS~1\
desktop.ini Tue 17 May 2005 21:08:48 A.SH. 482 0.47 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\PROGRAMS\STARTUP\
desktop.ini Tue 17 May 2005 21:08:48 A.SH. 84 0.08 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\MRA7G7YD\
desktop.ini Tue 17 May 2005 21:08:06 A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\ATOTEDKB\
desktop.ini Tue 17 May 2005 21:08:06 A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\4967C56B\
desktop.ini Tue 17 May 2005 21:08:06 A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\1M42PGTV\
desktop.ini Tue 17 May 2005 21:08:06 A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\PROGRAMS\ACCESS~1\ENTERT~1\
desktop.ini Tue 17 May 2005 21:08:48 A.SH. 84 0.08 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\PROGRAMS\ACCESS~1\ACCESS~1\
desktop.ini Tue 17 May 2005 21:08:48 A.SH. 348 0.34 K

61 items found: 61 files, 0 directories.
Total of file sizes: 1,829,814 bytes 1.74 M



! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SystemTray REG_SZ SysTray.Exe
Cmaudio REG_SZ RunDll32 cmicnfg.cpl,CMICtrlWnd
AVG7_CC REG_SZ C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AVG7_EMC REG_SZ C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
SiSUSBRG REG_SZ C:\WINDOWS\SiSUSBrg.exe
HP Software Update REG_SZ "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
HP Component Manager REG_SZ "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
HPDJ Taskbar Utility REG_SZ C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
DeviceDiscovery REG_SZ C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
DSLSTATEXE REG_SZ C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
DSLAGENTEXE REG_SZ C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
Motive SmartBridge REG_SZ C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
WinPatrol REG_SZ C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
Windows CPU host REG_SZ winbog32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows CPU host REG_SZ winbog32.exe


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSMSGS REG_SZ "C:\Program Files\Messenger\msmsgs.exe" /background


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} REG_DWORD 0x1
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} REG_DWORD 0x40000021
{0DF44EAA-FF21-4412-828E-260A8728E7F1} REG_DWORD 0x20

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername REG_DWORD 0x0
legalnoticecaption REG_SZ
legalnoticetext REG_SZ
shutdownwithoutlogon REG_DWORD 0x1
undockwithoutlogon REG_DWORD 0x1


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
PostBootReminder REG_SZ {7849596a-48ea-486e-8937-a2a3009f31a9}
CDBurn REG_SZ {fbeb8a05-beee-4442-804e-409d6c4515e9}
WebCheck REG_SZ {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
SysTray REG_SZ {35CEC8A3-2BE6-11D2-8773-92E220524153}


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,



! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell REG_SZ Explorer.exe



! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs REG_SZ

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:38 AM

Posted 27 June 2005 - 12:29 PM

Hi Biofriendly. Everything looks good there so we aren't dealing with any hiding files at this point. Post back a new HijackThis log after the update along with any further problems and then we will go from there.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 Biofriendly

Biofriendly
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 30 June 2005 - 04:46 PM

Me again, sorry about the delay.
Installed SP1 a couple of days ago (as this is only service pack I had).
After install it told me that AVG antivirus was corrupted and needed re-installing.
However I choose to install Avast anti virus, as I use it on my computer and find
it a good free program.I noticed that the network shield was blocking the following.


28.06.2005 20:45:46 DCOM Exploit attack
from 86.135.187.29:135
28.06.2005 20:46:05 DCOM Exploit attack
from 86.135.56.200:135
28.06.2005 20:46:14 DCOM Exploit attack
from 86.135.187.29:135
28.06.2005 20:47:20 DCOM Exploit attack
from 86.135.17.218:135
28.06.2005 20:54:38 DCOM Exploit attack
from 86.135.56.200:135
28.06.2005 20:58:26 DCOM Exploit attack
from 86.135.187.29:135
28.06.2005 20:59:01 DCOM Exploit attack
from 86.135.176.38:135
28.06.2005 23:41:00 DCOM Exploit attack
from 86.135.102.119:135
28.06.2005 23:41:50 DCOM Exploit attack
from 86.135.102.119:135
28.06.2005 23:42:30 DCOM Exploit attack
from 86.135.98.60:135

this is only the last ten logs.

everything seems to be ok and internet and e-mail was working correctly.

The virus scan showed the following virus (this is copy of log sent to avast)

Virus name: Win32:Kuang2
Original file location: C:\System Volume Information\_restore{4EF22F73-36AC-46F2-BF9C-B5E2AB2A96A5}\RP46\A0005942.dll
Computer name: K1O0H0
Transfer time: 27.06.2005 19:09:58
Modification time: 19.04.2005 16:24:34
Total size: 890368
Comment:

Virus name: Win32:Kuang2
Original file location: C:\WINDOWS\SYSTEM32\ActiveScan\imscan.dll
Computer name: K1O0H0
Transfer time: 27.06.2005 18:47:44
Modification time: 19.04.2005 16:24:34
Total size: 890368
Comment:

File ID: 4
Category: 1

OS:
Microsoft Windows XP Professional (Build 2600) Service Pack 1


May not be a virus, do not know if it is something to do with one of the
on-line virus scans I ran: Trend
BitDefender
Panda

Avast have yet to relply to this e-mail.

I downloaded SP2 tonight and ran avast,spybotS&D and ad-aware again,
which was clean.
I installed SP2, upon reboot everything seemed to be OK, and the firewall was started.
After connecting to the internet the firewall stated it had blocked some features of these programs:-
Name. sysmon32
Publisher. unknown

Name. winbog32
Publisher. unknown

I choose ask me later as I was unsure if this was bogus or a required program.
Outlook Express took ages to check the e-mail accounts, sometimes it would complete and sometimes gave the following error message.

A TCP/IP error occurred while trying to connect to the server. Account: 'mail.btinternet.com', Server: 'mail.btinternet.com', Protocol: POP3, Port: 110, Secure(SSL): No, Error Number: 0x800CCC15

When using Internet Explorer, the home page was displayed, but no other sites could be viewed.

After disconnecting I looked at the avast network shield log mentioned above which showed that there had been no attacks.

I rebooted and turned off the firewall, this time the e-mail accounts were checked
quickly,and a message came in, but after selecting send receive again the same error message appeared.Internet Explorer still would not work either.

I had to uninstall SP2 as my neighbours need e-mails for work.
It is now working again (SP1), and I have enabled the firewall.

Here is the highjack this log after a clean reboot
Warmest Regards


Logfile of HijackThis v1.99.1
Scan saved at 20:53:35, on 30/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
C:\WINDOWS\system32\winbog32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\sysmon32.exe
C:\Program Files\BT Broadband Help\bin\mpbtn.exe
C:\Documents and Settings\Gorman\My Documents\Highjackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
F2 - REG:system.ini: Shell=Explorer.exe sysmon32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [Windows CPU host] winbog32.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunServices: [Windows CPU host] winbog32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Help\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\Resources\IntraLaunch.CAB
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:38 AM

Posted 01 July 2005 - 01:42 PM

Hi Biofriendly. The imscan.dll is Ok. It is part of Panda's Active scan and contains the definitions for malicious files, that is why it comes up with warnings in some of the other scanning products. The sysmon32.exe and winbog32.exe however are bad files and we will remove those.

When you talk about the firewall are you using the built-in Windows Firewall? It is problematic at the least and a royal pain in the butt in many instances. I would recommend disabling it and using one of these free firewalls (I use all of them on various machines for testing and they all do a terrific job [my favorite is Sygate]):

Here are 3 free firewalls available for personal use:Ok, let's fix up the bad items in the log. Please print these directions and then proceed with the following steps in order.

Step #1

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #2

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:F2 - REG:system.ini: Shell=Explorer.exe sysmon32.exe
O4 - HKLM\..\Run: [Windows CPU host] winbog32.exe
O4 - HKLM\..\RunServices: [Windows CPU host] winbog32.exe

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #3

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\system32\sysmon32.exe
C:\WINDOWS\system32\winbog32.exe

Step #4

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #5

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 Biofriendly

Biofriendly
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 04 July 2005 - 11:38 AM

Hello.
I went to my neighbours at lunch today to remove the bad files.
They told me that when they connected to the internet this morning the avast virus scanner came up with Win32: Adware-gen.(Adw) found.The browser was also
coming up with the same old 'corn on the cob' web page as metioned in my first post.Avast itself gave the site as (www.mt-download.com/mtslibz.js), which was again trying to download a file into the local settings\Temp folder.
Anyway I still followed the instructions from your previous reply, the only problem
was the sysmon32.exe could not be deleted as in step 3 because the file was in use, so I ended the process and could then delete the file.
After normal restart, an error came up stating that the sysmon32.exe could not be found.
Here is the HighjackThis log

Logfile of HijackThis v1.99.1
Scan saved at 12:47:41, on 04/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\winstes.exe
C:\yss.exe
C:\Program Files\BT Broadband Help\bin\mpbtn.exe
C:\Documents and Settings\Gorman\My Documents\Highjackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
F2 - REG:system.ini: Shell=Explorer.exe sysmon32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Microsoft Update] winstes.exe
O4 - HKLM\..\Run: [REGRUN] C:\yss.exe
O4 - HKLM\..\RunServices: [Microsoft Update] winstes.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Help\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\Resources\IntraLaunch.CAB
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

After this I connected again to the internet, the avast scanner detected the same
problem, so I disconnected and selected delete file.
I ran the task manager and noticed three intances of lax.exe running and a process yss.exe.
I found these files C:\Lax.exe and C:\yss.exe, and also noticed the files C:\ymta.exe and C:\ygcs.exe, the first two files were created at the same (when
my neighbour connected this morning) the last two were created when I connected.
Here is the HighjackThis log after being connected again

Logfile of HijackThis v1.99.1
Scan saved at 12:53:02, on 04/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\winstes.exe
C:\yss.exe
C:\Program Files\BT Broadband Help\bin\mpbtn.exe
C:\Lax.exe
C:\Lax.exe
C:\Lax.exe
C:\Documents and Settings\Gorman\My Documents\Highjackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
F2 - REG:system.ini: Shell=Explorer.exe sysmon32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Microsoft Update] winstes.exe
O4 - HKLM\..\Run: [REGRUN] C:\yss.exe
O4 - HKLM\..\RunServices: [Microsoft Update] winstes.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Help\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\Resources\IntraLaunch.CAB
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)


I will install ZoneAlarm as I use it on my system, and yes it is currently the
built-in Windows firewall that is enabled on their system.

THANKYOU!!!

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:38 AM

Posted 05 July 2005 - 11:32 AM

Hi Biofriendly. Yes, we have a couple of new infections here. Please print these directions and then proceed with the following steps in order.

Step #1

Download CCleaner and install it but do not run it yet.

Step #2

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:F2 - REG:system.ini: Shell=Explorer.exe sysmon32.exe
O4 - HKLM\..\Run: [Microsoft Update] winstes.exe
O4 - HKLM\..\Run: [REGRUN] C:\yss.exe
O4 - HKLM\..\RunServices: [Microsoft Update] winstes.exe

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\system32\sysmon32.exe
C:\WINDOWS\System32\winstes.exe
C:\yss.exe
C:\Lax.exe

Step #5

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Reboot normally and run at least 2 of the following on-line virus scans:Trend Micro Housecall
BitDefender On-Line Virus Scan
Panda ActiveScan
eTrust Antivirus Web Scanner
Make sure that you choose "fix", "clean" or "autoclean". If you have any files that cannot be disinfected or quarantined automatically then you will need to delete them manually.

Step #7

AdAware SE v1.06

Download, install, update, configure and run a scan with Ad-aware SE v1.06:
  • Download and Install AdAware SE Personal, keeping the default options. However, some of the settings will need to be changed before your first scan.
  • Close ALL windows except Ad-Aware SE.
  • Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
  • Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
    • In the ‘General’ window make sure the following are selected in green:
      • Under Safety:
        • Automatically save log-file
      • Automatically quarantine objects prior to removal
      • Safe Mode (always request confirmation)
    • Under Definitions:
      • Prompt to update outdated definitions - set the number of days
  • Click on the ‘Scanning’ button on the left and select in green:
    • Under Driver, Folders & Files:
      • Scan Within Archives
    • Under Select drives & folders to scan:
      • choose all hard drives
    • Under Memory & Registry: all green
      • Scan Active Processes
      • Scan Registry
      • Deep Scan Registry
      • Scan my IE favorites for banned URL’s
      • Scan my Hosts file
  • Click on the ‘Advanced’ button on the left and select in green:
    • Under Shell Integration:
      • Move deleted files to recycle bin
    • Under Logfile Detail Level: all green
      • include addtional object information
      • DESELECT - include negligible objects information
      • include environment information
    • Under Alternate Data Streams:
      • Don't log streams smaller than 0 bytes
      • Don't log ADS with the following names: CA_INOCULATEIT
  • Click the ‘Tweak’ button and select in green:
    • Under ‘Scanning Engine’:
      • Unload recognized processes during scanning
      • Scan registry for all users instead of current user only
    • Under ‘Cleaning Engine’:
      • Let Windows remove files in use at next reboot
    • Under Log Files:
      • Include basic Ad-aware SE settings in logfile
      • Include additional Ad-aware SE settings in logfile
      • Please do not check: Include Module list in logfile
  • Click on ‘Proceed’ to save the settings.
  • Click ‘Start’
  • Choose 'Perform Full System Scan'
  • DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
  • Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
  • If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
  • Right-click on the list and choose Select All
  • Click the Next button to finish removing the items that were found
  • When finished, REBOOT to complete the removal of what Ad-Aware SE found
Step #8

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 Biofriendly

Biofriendly
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 06 July 2005 - 03:34 PM

Hello OldTimer.
The on-line virus scans found the following:-

Trend Micro

1st Scan

WORM AGOBOT.AQV C:\WINDOWS\SYSTEM32\wuamkop.exe
WORM RBOT.GEN C:\System Volume Information\_restore

2nd Scan

WORM AGOBOT.AQV C:\System Volume Information\_restore

3rd Scan

Clean!

Bit Defender

1st Scan

Trojan.Downloader.2751.A C:\System Volume Information\_restore (x2)

2nd Scan

Scan program stoppped responding and Avast came up with Win32:Sdbot-194-B
in C:\WINDOWS\system32\mssetup32.exe\[MEW]

3rd Scan

Clean!

ETrust

Clean!

Panda

Clean! Although only took about 20 seconds to complete the scan!


All nastys above were deleted.

Ad-Aware did not find any problems.

Here is the HighjackThis log


Logfile of HijackThis v1.99.1
Scan saved at 18:20:12, on 06/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\BT Broadband Help\bin\mpbtn.exe
C:\Documents and Settings\Gorman\My Documents\Highjackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Help\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\Resources\IntraLaunch.CAB
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)


I then installed and Configured ZoneAlarm.

Here is the pfind results, as you may want to check this as well.

Files found with this application may be legitimate.
Only remove files that you know are malware related.


Checking the C: folder



Checking the C:\Program Files folder



Checking the C:\WINDOWS folder

C:\WINDOWS\vsapi32.dll: UPX!t4
C:\WINDOWS\tsc.exe: UPX!


Checking the C:\WINDOWS\SYSTEM32 folder

C:\WINDOWS\SYSTEM32\DivX.dll: PEC2
C:\WINDOWS\SYSTEM32\DivX.dll: PECompact2


Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder



Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\All Users\Application Data folder




Checking the C:\Documents and Settings\Gorman\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\Gorman\Application Data folder




Checking the Windows folder for system and hidden files within the last 60 days


C:\WINDOWS\
hwinfo.dat Tue 17 May 2005 20:44:22 ...HR 213,024 208.03 K
folder.htt Tue 17 May 2005 20:44:02 ...H. 12,746 12.45 K
ttfcache Tue 17 May 2005 20:42:32 A..H. 2,969 2.90 K
window~1.man Tue 17 May 2005 21:07:42 A..HR 749 0.73 K
bootstat.dat Wed 6 Jul 2005 20:39:00 A.S.. 2,048 2.00 K

C:\WINDOWS\SYSTEM32\
folder.htt Tue 17 May 2005 20:44:02 ...H. 12,746 12.45 K
vsconfig.xml Wed 6 Jul 2005 18:54:02 A..H. 890 0.87 K
zllictbl.dat Wed 6 Jul 2005 18:31:06 ...H. 4,212 4.11 K
ncpacp~1.man Tue 17 May 2005 21:07:42 A..HR 749 0.73 K
nwccpl~1.man Tue 17 May 2005 21:07:42 A..HR 749 0.73 K
sapicp~1.man Tue 17 May 2005 21:07:42 A..HR 749 0.73 K
wuaucp~1.man Tue 17 May 2005 21:07:42 A..HR 749 0.73 K
cdplay~1.man Tue 17 May 2005 21:07:42 A..HR 749 0.73 K
logonu~1.man Tue 17 May 2005 21:07:46 A..HR 488 0.48 K
window~1.man Tue 17 May 2005 21:07:46 A..HR 488 0.48 K

C:\WINDOWS\HELP\
windows.gid Tue 17 May 2005 20:43:36 ...H. 9,793 9.56 K

C:\WINDOWS\FONTS\
desktop.ini Tue 17 May 2005 21:08:24 A.SH. 67 0.06 K

C:\WINDOWS\WEB\
wvlogo.gif Tue 17 May 2005 20:44:02 ...H. 19,600 19.14 K
controlp.htt Tue 17 May 2005 20:44:02 ...H. 4,204 4.11 K
folder.htt Tue 17 May 2005 20:44:02 ...H. 11,530 11.26 K
mycomp.htt Tue 17 May 2005 20:44:02 ...H. 4,988 4.87 K
printers.htt Tue 17 May 2005 20:44:02 ...H. 5,044 4.93 K
webview.css Tue 17 May 2005 20:44:02 ...H. 855 0.83 K
default.htt Tue 17 May 2005 20:44:02 ...H. 14,258 13.92 K
nethood.htt Tue 17 May 2005 20:44:02 ...H. 5,403 5.27 K
recycle.htt Tue 17 May 2005 20:44:02 ...H. 8,088 7.90 K
schedule.htt Tue 17 May 2005 20:44:02 ...H. 5,495 5.36 K
dialup.htt Tue 17 May 2005 20:44:02 ...H. 5,521 5.39 K
wvleft.bmp Tue 17 May 2005 20:44:02 ...H. 44,686 43.64 K
wvline.gif Tue 17 May 2005 20:44:02 ...H. 840 0.82 K

C:\WINDOWS\TASKS\
sa.dat Wed 6 Jul 2005 18:57:02 A..H. 6 0.00 K

C:\WINDOWS\DOWNLO~1\
desktop.ini Tue 17 May 2005 21:07:46 ...H. 65 0.06 K

C:\WINDOWS\REPAIR\
ntuser.dat Tue 17 May 2005 21:09:14 A..H. 360,448 352.00 K

C:\WINDOWS\OFFLIN~1\
desktop.ini Tue 17 May 2005 21:07:46 ...H. 65 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\
system.log Wed 6 Jul 2005 18:57:08 A..H. 737,280 720.00 K
software.log Wed 6 Jul 2005 18:57:08 A..H. 151,552 148.00 K
default.log Wed 6 Jul 2005 18:57:08 A..H. 8,192 8.00 K
userdiff.log Tue 17 May 2005 21:00:50 A..H. 1,024 1.00 K
tempkey.log Tue 17 May 2005 21:00:48 A..H. 1,024 1.00 K
sam.log Wed 6 Jul 2005 20:39:16 A..H. 1,024 1.00 K
security.log Wed 6 Jul 2005 20:39:00 A..H. 16,384 16.00 K

C:\WINDOWS\PCHEALTH\HELPCTR\PACKAG~1\
packag~1.cab Tue 17 May 2005 21:08:02 ..SHR 242,478 236.79 K
packag~2.cab Tue 17 May 2005 21:08:02 ..SHR 19,959 19.49 K
packag~3.cab Tue 17 May 2005 21:08:02 ..SHR 727 0.71 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\
desktop.ini Tue 17 May 2005 21:01:58 A.SH. 62 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\
desktop.ini Tue 17 May 2005 21:01:58 A.SH. 62 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\SENDTO\
desktop.ini Tue 17 May 2005 21:07:48 A.SH. 181 0.18 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\APPLIC~1\
desktop.ini Tue 17 May 2005 21:01:58 A.SH. 62 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\HISTORY\
desktop.ini Tue 17 May 2005 21:08:06 A.SH. 113 0.11 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\
desktop.ini Tue 17 May 2005 21:08:06 A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\PROGRAMS\
desktop.ini Tue 17 May 2005 21:08:48 A.SH. 206 0.20 K

C:\WINDOWS\SYSTEM32\MICROS~1\PROTECT\S-1-5-18\USER\
ccbfad~1 Tue 17 May 2005 21:14:44 A.SH. 388 0.38 K
prefer~1 Tue 17 May 2005 21:14:44 A.SH. 24 0.02 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\HISTORY\HISTORY.IE5\
desktop.ini Tue 17 May 2005 21:08:06 A.SH. 113 0.11 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\
desktop.ini Tue 17 May 2005 21:08:06 A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\PROGRAMS\ACCESS~1\
desktop.ini Tue 17 May 2005 21:08:48 A.SH. 482 0.47 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\PROGRAMS\STARTUP\
desktop.ini Tue 17 May 2005 21:08:48 A.SH. 84 0.08 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\MRA7G7YD\
desktop.ini Tue 17 May 2005 21:08:06 A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\ATOTEDKB\
desktop.ini Tue 17 May 2005 21:08:06 A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\4967C56B\
desktop.ini Tue 17 May 2005 21:08:06 A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\1M42PGTV\
desktop.ini Tue 17 May 2005 21:08:06 A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\PROGRAMS\ACCESS~1\ENTERT~1\
desktop.ini Tue 17 May 2005 21:08:48 A.SH. 84 0.08 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\PROGRAMS\ACCESS~1\ACCESS~1\
desktop.ini Tue 17 May 2005 21:08:48 A.SH. 348 0.34 K

63 items found: 63 files, 0 directories.
Total of file sizes: 1,937,316 bytes 1.84 M


The Very Kindest Regards Biofriendly

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:38 AM

Posted 06 July 2005 - 05:07 PM

Hi Biofriendly. Well, the log looks clean. Good job! How are things running? Any problems?

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:and a good antivirus like the one you are currently using. It is critical to have both a firewall and an anti-virus application and to keep them updated.

To keep your operating system up to date visit monthly. And to keep your system clean run these free malware scanners
weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#13 Biofriendly

Biofriendly
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 15 July 2005 - 12:18 PM

Hello OldTimer
Once again thanks for all your help, their computer seems to be very happy, and
so are it's owners.
I will donate using PayPal as this is a great service.
Warmest Regards Biofriendly

#14 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:38 AM

Posted 17 July 2005 - 11:54 AM

You're very welcome Biofriendly. I'm glad that we could help.

Now that your malware issues have been resolved I will close this topic. If you need it reopened for this same issue then please PM me. If you have any new issues in the future then please start a new topic.

Cheers.

Keep on computing!

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users