Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Forwarding Links / Virtumonde / Tidserv


  • This topic is locked This topic is locked
26 replies to this topic

#1 jhut

jhut

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 08 December 2009 - 06:53 PM

Hello to all,

Yes, I have a WinXP SP3 PC that has become infected with something. Some Google search results don't go to the page they're supposed to, but rather forward to OTHER links, many of which try to sell some bogus anti-virus software. I noticed that these links contain an affiliate ID, so presumably if I buy the software, then someone, somewhere, is getting money.

My most recent virus scans with Spyware Doctor are clean, though the problem persists. Everything else on my computer appears fine - my machine is not slow, I have no pop-up problems, and going directly to the address bar and typing in sites directly does not result in this forwarding problem. Only Google search results forward.

Please note that I am not able to upload the RootRepeal log as that program seems to just get hung every time I run it. The only potentially useful information I can read from it is it says "C:\hiberfil.sys" is "Locked to the Windows API!"

Thank you for any and all help. It is much appreciated.

Best,
Joe

======== Start of DDS.txt below ==========


DDS (Ver_09-12-01.01) - NTFSx86
Run by test at 17:27:22.26 on Tue 12/08/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1395 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\test\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\test\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\test\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\test\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\test\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\test\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [Google Update] "c:\documents and settings\test\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [ehTray] "c:\windows\ehome\ehtray.exe"
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [NvCplDaemon] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] "c:\windows\system32\nwiz.exe" /installquiet /nodetect
mRun: [MsmqIntCert] "c:\windows\system32\regsvr32.exe" /s mqrt.dll
mRun: [High Definition Audio Property Page Shortcut] "c:\windows\system32\CHDAudPropShortcut.exe"
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QlbCtrl] "c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe" /Start
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [RecGuard] "c:\windows\sminst\RecGuard.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-3 64288]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-12-8 207280]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-12-8 358600]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-12-8 1141200]
R3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [2006-6-6 61952]
R4 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-12-8 186128]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-11-8 30192]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1179232]

=============== Created Last 30 ================

2009-12-08 21:38:35 4412 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-08 21:38:35 370976 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-08 21:38:35 26912 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-12-08 21:38:35 1844 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-12-08 21:38:19 2728 ----a-w- C:\rollback.ini
2009-12-08 21:22:22 0 d-----w- c:\program files\common files\ParetoLogic
2009-12-08 21:22:22 0 d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-12-08 18:39:03 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-12-08 18:39:03 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-08 18:38:58 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-08 18:38:58 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-12-08 18:38:58 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-12-08 18:38:58 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-08 18:38:55 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-12-08 18:38:54 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-08 18:38:36 0 d-----w- c:\program files\Spyware Doctor
2009-12-08 18:38:36 0 d-----w- c:\program files\common files\PC Tools
2009-12-08 18:38:36 0 d-----w- c:\docume~1\test\applic~1\PC Tools
2009-12-08 18:38:36 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2009-12-07 21:08:53 0 d-----w- c:\windows\system32\wbem\Repository
2009-12-07 20:21:54 164 ----a-w- c:\windows\install.dat
2009-12-07 09:19:21 344064 ----a-w- c:\documents and settings\test\Install Uninstall Configuration
2009-12-07 09:12:56 65744 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-12-07 08:52:07 0 d-----w- c:\windows\pss
2009-12-07 08:44:32 0 d-----w- c:\program files\SpywareBlaster
2009-12-07 08:33:13 0 d-----w- c:\program files\CCleaner
2009-12-07 07:38:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-07 07:38:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-30 08:25:52 0 d-----w- c:\program files\EnglishOtto
2009-11-30 05:44:40 0 ----a-w- c:\documents and settings\test\settings.dat
2009-11-30 05:23:32 0 d-----w- C:\cmdcons
2009-11-30 05:03:21 0 d-----w- c:\docume~1\test\applic~1\Malwarebytes
2009-11-30 05:03:12 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-30 05:03:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-30 04:30:26 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-30 04:30:26 0 d-----w- c:\docume~1\test\applic~1\SUPERAntiSpyware.com
2009-11-28 22:50:43 0 d-sh--w- C:\found.000
2009-11-27 17:08:49 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-11-19 21:53:25 32656 ----a-w- c:\windows\system32\msonpmon.dll
2009-11-19 14:05:52 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-11-19 14:05:52 215920 ----a-w- c:\windows\system32\muweb.dll
2009-11-19 14:05:52 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2009-11-09 21:53:30 794624 ----a-w- c:\windows\system32\spr32d35.dll
2009-11-09 21:49:59 0 d-----w- c:\program files\Sunset Bathroom Designer

==================== Find3M ====================

2009-12-08 21:06:10 99584 ----a-w- c:\windows\system32\drivers\nvata.sys
2009-11-03 21:30:25 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-03 21:30:24 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-31 16:13:40 1721 --sha-r- c:\windows\system32\drivers\103C_HP_NTBK_HP Pavilion dv9000 (EZ462UA#ABA)_YN_0Pavi_QCNF64730MV_E432250002_46_I30B9_SQuanta_V65.2C_BF.42_T090309_WXP2_L409_M1983_J100_7AMD_8Turion 64 X2 Technology TL-50_91.61_#060919_N_(EZ462UA#ABA)_XMOBILE.MRK
2009-10-19 23:53:44 3070976 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-25 05:37:11 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37:11 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2009-09-25 05:37:11 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-09-25 05:37:10 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-09-25 05:37:09 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-25 05:37:09 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll

============= FINISH: 17:29:11.00 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 jhut

jhut
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 14 December 2009 - 08:09 PM

Hello,

Yes, since this help request is taking longer than I expected to get picked up, you have my word that I will send a PayPal payment of US fifteen dollars ($15) to the admin who helps me get my issue successfully resolved.

Thank you.

-Joseph

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 PM

Posted 20 December 2009 - 06:27 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

Yes, since this help request is taking longer than I expected to get picked up, you have my word that I will send a PayPal payment of US fifteen dollars ($15) to the admin who helps me get my issue successfully resolved.

Although we understand your frustration we have over 700 logs that require to be answered. Bleepingcomputer nor I accept personal donations for assistance provided.
---

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems just let me know in your next reply or simply post a Hijackthis log.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 PM

Posted 25 December 2009 - 12:52 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 PM

Posted 26 December 2009 - 09:14 AM

Re-opened upon user's request.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 jhut

jhut
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 26 December 2009 - 08:29 PM

Hello extremeboy,

Thank you for re-opening. Yes, my original problems persist, which are that some Google searches, regardless of which browser I use, redirect to bogus sites. Besides that, my computer seems to be acting normal - speed seems fine.

I tried running root repeal, but it just seems to stall. The only potentially useful information I can read from it is it says "C:\hiberfil.sys" is "Locked to the Windows API!"
Also, after canceling the root repeal scan, dds took forty five minutes to run, and didn't even finish. I then restarted my computer and dds ran just fine. Its logs are attached.

Thank you for your help and insight!


DDS (Ver_09-12-01.01) - NTFSx86
Run by test at 2:55:58.57 on Sat 12/26/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1607 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\test\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Documents and Settings\test\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\dllhost.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mURLSearchHooks: SrchHook Class: {d3f669eb-57ce-4f45-8fbd-e245cbb46366} - c:\program files\stopzilla!\toolbar\SZIESearchHook.dll
BHO: ZILLAbar Browser Helper Object: {1827766b-9f49-4854-8034-f6ee26fcb1ec} - c:\program files\stopzilla!\toolbar\SZSG.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\toolbar\SZSG.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [Google Update] "c:\documents and settings\test\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] "c:\windows\ehome\ehtray.exe"
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [High Definition Audio Property Page Shortcut] "c:\windows\system32\CHDAudPropShortcut.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [RecGuard] "c:\windows\sminst\RecGuard.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-3 64288]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-12-8 207280]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [2006-6-6 61952]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-11-8 30192]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1184912]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-12-8 358600]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-12-8 1141200]

=============== Created Last 30 ================

2009-12-10 07:43:13 240 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-12-10 07:38:22 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2009-12-10 07:36:57 0 d-----w- c:\program files\STOPzilla!
2009-12-10 07:36:55 0 d-----w- c:\program files\common files\iS3
2009-12-10 07:36:54 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-12-10 07:16:52 0 d-----w- c:\program files\Trend Micro
2009-12-10 06:25:43 0 d-----w- c:\docume~1\test\applic~1\AVG8
2009-12-10 05:32:19 0 d-sha-r- C:\cmdcons
2009-12-10 05:30:45 98816 ----a-w- c:\windows\sed.exe
2009-12-10 05:30:45 77312 ----a-w- c:\windows\MBR.exe
2009-12-10 05:30:45 261632 ----a-w- c:\windows\PEV.exe
2009-12-10 05:30:45 161792 ----a-w- c:\windows\SWREG.exe
2009-12-10 02:38:11 0 d-----w- C:\VundoFix Backups
2009-12-08 21:38:35 4412 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-08 21:38:35 392480 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-08 21:38:35 27168 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-12-08 21:38:35 1844 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-12-08 21:38:19 2728 ----a-w- C:\rollback.ini
2009-12-08 21:22:22 0 d-----w- c:\program files\common files\ParetoLogic
2009-12-08 21:22:22 0 d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-12-08 18:39:03 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-12-08 18:39:03 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-08 18:38:58 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-08 18:38:58 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-12-08 18:38:58 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-12-08 18:38:58 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-08 18:38:55 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-12-08 18:38:54 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-08 18:38:36 0 d-----w- c:\program files\Spyware Doctor
2009-12-08 18:38:36 0 d-----w- c:\program files\common files\PC Tools
2009-12-08 18:38:36 0 d-----w- c:\docume~1\test\applic~1\PC Tools
2009-12-08 18:38:36 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2009-12-07 21:08:53 0 d-----w- c:\windows\system32\wbem\Repository
2009-12-07 20:21:54 164 ----a-w- c:\windows\install.dat
2009-12-07 09:19:21 344064 ----a-w- c:\documents and settings\test\Install Uninstall Configuration
2009-12-07 09:12:56 65744 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-12-07 08:52:07 0 d-----w- c:\windows\pss
2009-12-07 08:44:32 0 d-----w- c:\program files\SpywareBlaster
2009-12-07 08:33:13 0 d-----w- c:\program files\CCleaner
2009-12-07 07:38:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-07 07:38:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-30 08:25:52 0 d-----w- c:\program files\EnglishOtto
2009-11-30 05:44:40 0 ----a-w- c:\documents and settings\test\settings.dat
2009-11-30 05:03:21 0 d-----w- c:\docume~1\test\applic~1\Malwarebytes
2009-11-30 05:03:12 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-30 05:03:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-30 04:30:26 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-30 04:30:26 0 d-----w- c:\docume~1\test\applic~1\SUPERAntiSpyware.com
2009-11-28 22:50:43 0 d-----w- C:\found.000
2009-11-27 17:08:49 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2

==================== Find3M ====================

2009-12-15 01:05:04 99584 ----a-w- c:\windows\system32\drivers\nvata.sys
2009-11-03 21:30:25 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-03 21:30:24 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-31 16:13:40 1721 --sha-r- c:\windows\system32\drivers\103C_HP_NTBK_HP Pavilion dv9000 (EZ462UA#ABA)_YN_0Pavi_QCNF64730MV_E432250002_46_I30B9_SQuanta_V65.2C_BF.42_T090309_WXP2_L409_M1983_J100_7AMD_8Turion 64 X2 Technology TL-50_91.61_#060919_N_(EZ462UA#ABA)_XMOBILE.MRK
2009-10-29 19:08:22 3070976 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-29 05:38:23 667136 ------w- c:\windows\system32\wininet.dll
2009-10-29 05:38:23 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2009-10-29 05:38:22 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-10-29 05:38:22 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll

============= FINISH: 2:57:21.12 ===============

Attached Files



#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 PM

Posted 27 December 2009 - 12:01 PM

Hello.

Please also post the RootRepeal log for me to review.

Thanks.

~EB
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 jhut

jhut
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 27 December 2009 - 02:05 PM

Hello,

That's the thing - the root repeal scan never finishes. I had it running for four hours and it just looks like it's doing nothing. The only info it says is that "locked to the API!" message that I described earlier. But, as I said, the scan never finishes so I cannot post the log.

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 PM

Posted 27 December 2009 - 02:37 PM

Sorry, I apologize. I didn't see that message. Try GMER for me.

Download and Run GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.

    If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system... Click NO.
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 jhut

jhut
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 27 December 2009 - 06:47 PM

GMER log attached. Thank you.

Attached Files



#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 PM

Posted 28 December 2009 - 11:09 AM

Hello.

You seem to be infected with one of those new TDL3 infections. We will start off with Combofix.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 jhut

jhut
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 28 December 2009 - 03:09 PM

Combofix log attached. A few things to note:

1. For some reason Combofix thought AVG Anti-Virus was running on my system, but I don't believe it is. There is no AVG icon in the taskbar and I don't see any active processes that would lead me to think AVG is running.

2. My computer will not boot into safe mode. (I forgot to mention this earlier.)

Thanks for the help!

Attached Files



#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 PM

Posted 29 December 2009 - 10:00 AM

Hello again.

We need to replace a copy but first we need to find a suitable copy.

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    :filefind
    nvata*
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 jhut

jhut
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 29 December 2009 - 10:28 AM

SystemLook log below.

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 10:27 on 29/12/2009 by test (Administrator - Elevation successful)

========== filefind ==========

Searching for "nvata*"
C:\SWSetup\Chipset\IDE\Win2K\sataraid\nvatabus.sys --a--- 99584 bytes [00:04 27/01/2006] [00:04 27/01/2006] 3AC5EEDD35B7437D53960F3998BFA462
C:\SWSetup\Chipset\IDE\Win2K\sata_ide\nvata.cat --a--- 8836 bytes [15:01 16/05/2006] [15:01 16/05/2006] 45B4D2593DB17F2E2C84242FFD7006B3
C:\SWSetup\Chipset\IDE\Win2K\sata_ide\nvata.inf --a--- 2949 bytes [07:39 15/05/2006] [07:39 15/05/2006] DBA1177CD571878DBF13E2F0C13ACBF7
C:\SWSetup\Chipset\IDE\Win2K\sata_ide\nvata.sys --a--- 99584 bytes [00:04 27/01/2006] [00:04 27/01/2006] 3AC5EEDD35B7437D53960F3998BFA462
C:\SWSetup\Chipset\IDE\WinXP\sataraid\nvatabus.sys --a--- 99584 bytes [00:04 27/01/2006] [00:04 27/01/2006] 3AC5EEDD35B7437D53960F3998BFA462
C:\SWSetup\Chipset\IDE\WinXP\sata_ide\nvata.cat --a--- 8836 bytes [15:01 16/05/2006] [15:01 16/05/2006] 45B4D2593DB17F2E2C84242FFD7006B3
C:\SWSetup\Chipset\IDE\WinXP\sata_ide\nvata.inf --a--- 2949 bytes [07:39 15/05/2006] [07:39 15/05/2006] DBA1177CD571878DBF13E2F0C13ACBF7
C:\SWSetup\Chipset\IDE\WinXP\sata_ide\nvata.sys --a--- 99584 bytes [00:04 27/01/2006] [00:04 27/01/2006] 3AC5EEDD35B7437D53960F3998BFA462
C:\SWSetup\Chipset\nvata.cat --a--- 8836 bytes [15:01 16/05/2006] [15:01 16/05/2006] 45B4D2593DB17F2E2C84242FFD7006B3
C:\SWSetup\Chipset\nvata.inf --a--- 2949 bytes [07:39 15/05/2006] [07:39 15/05/2006] DBA1177CD571878DBF13E2F0C13ACBF7
C:\SWSetup\Chipset\nvata.PNF --a--- 9496 bytes [04:42 20/09/2006] [04:42 20/09/2006] 8089D92A7B2124B2AF3940964B2AFB19
C:\SWSetup\Chipset\nvata.sys --a--- 99584 bytes [00:04 27/01/2006] [00:04 27/01/2006] 3AC5EEDD35B7437D53960F3998BFA462
C:\SWSetup\Chipset\nvatabus.sys --a--- 99584 bytes [00:04 27/01/2006] [00:04 27/01/2006] 3AC5EEDD35B7437D53960F3998BFA462
C:\WINDOWS\system32\drivers\nvata.sys --a--- 99584 bytes [00:04 27/01/2006] [15:26 29/12/2009] 3AC5EEDD35B7437D53960F3998BFA462

-=End Of File=-

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 PM

Posted 29 December 2009 - 02:21 PM

Hello.

Let's try replacing that file using Combofix and if that doesn't work, we will try something else.

--

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    FCOPY::
    C:\SWSetup\Chipset\nvata.sys | C:\WINDOWS\system32\drivers\nvata.sys
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users