Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Log File


  • This topic is locked This topic is locked
14 replies to this topic

#1 jubjub64

jubjub64

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 11 January 2007 - 07:59 PM

If someone has time, I would appreciate an analysis on this log file of mine.
Thanks in advance!

A few things to know, I dont have Internet Explorer installed. Also, hijackthis kept closing on an error when I would scan and make log file.

Logfile of HijackThis v1.99.1
Scan saved at 5:52:12 PM, on 1/11/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system\icrss.exe
C:\WINNT\runservice.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\svchost.exe
E:\Users\Program_Files\Run\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\RsFsa.exe
C:\WINNT\system32\RsSub.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\mqsvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\System32\tcpsvcs.exe
C:\Hijackthis\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Users\Program_Files\Run\Adobe\Reader\reader_sl.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINNT\System32\CTSVCCDA.EXE (file missing)
O23 - Service: Visual Studio Debugger Proxy Service (DbgProxy) - Unknown owner - E:\Users\Program_Files\Run\Microfost Visual Studio net\Common7\Packages\Debugger\dbgproxy.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: icrss manager 32bit (icrss) - Unknown owner - C:\WINNT\system\icrss.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINNT\runservice.exe
O23 - Service: ptssvc - KODAK - E:\Users\Program_Files\Run\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\system32\ScsiAccess.EXE
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

BC AdBot (Login to Remove)

 


#2 jubjub64

jubjub64
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 13 January 2007 - 12:19 AM

Another thing I forgot to mention is that sometimes when I am redirected or have a popup my firewall says it is coming from IEXPLORE.exe or firefox.exe or another program called icrss.exe Anyway I just reinstalled Internet Explorer without success in removing the virus attatched to it.

#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:00 AM

Posted 13 January 2007 - 01:41 AM

Hello jubjub64,

I am SifuMike and I will be helping you. :thumbsup:

* Download SDFix and save it to your Desktop.

* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O23 - Service: icrss manager 32bit (icrss) - Unknown owner - C:\WINNT\system\icrss.exe

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

Don't use the windows start\search feature
Using Windows Explorer, find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

C:\WINNT\system\icrss.exe <== file



Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum). I need that log afterwards.


* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously, a new HijackThis log and the log from SDfix.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 jubjub64

jubjub64
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 14 January 2007 - 11:12 AM

Ok, I followed all the steps, here are my logs.

Dr. Web:
Note: I wasn't sure how to open this because I don't have Excel.

wbbhywwm.dll;c:\winnt\system32;Trojan.Juan;Deleted.;
msvisuals.exe;C:\;Probably UPX;Incurable.Moved.;
s3.0[1].exe;C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\1NTVCAOF;Trojan.Spambot;Deleted.;
viss[1].exe;C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\1NTVCAOF;Probably UPX;Incurable.Moved.;
s3.0[1].exe;C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\PDHA5TLQ;Trojan.Spambot;Deleted.;
preInsBI.exe;C:\Documents and Settings\whiting_ts\Application Data\VCOM\SystemSuite\Quarantine;Trojan.Bispy;Deleted.;
MiniBugTransporter.dll;C:\Program Files\AWS\WeatherBug;Adware.Aws;Incurable.Moved.;
Dc52.exe;C:\RECYCLER\S-1-5-21-1659004503-688789844-1060284298-1007;BackDoor.IRC.Sdbot.based;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
bridge.dll;C:\WINNT\Downloaded Program Files;Trojan.Briss;Deleted.;
jao.dll;C:\WINNT\Downloaded Program Files;Trojan.Briss;Deleted.;
ATPartners.dll;C:\WINNT\system32;Trojan.DownLoader.598;Incurable.Moved.;
biR.exe;C:\WINNT\system32;Trojan.Bispy;Incurable.Moved.;
BO2802040113.dll;C:\WINNT\system32;Probably BINARYRES;Incurable.Moved.;
cfdpcrxs.dll;C:\WINNT\system32;Trojan.Juan;Deleted.;
in10b6.dll;C:\WINNT\system32;Trojan.MulDrop.1565;Deleted.;
lwxheyqj.dll;C:\WINNT\system32;Trojan.Virtumod;Deleted.;
msbb321.dll;C:\WINNT\system32;Adware.nCase;Incurable.Moved.;
wmjcmhlq.exe;C:\WINNT\system32;Adware.TopSearch;Incurable.Moved.;
WxBug.EXE;E:\Users\Program_Files\Run\Sysfiles;Adware.Aws;Incurable.Moved.;


Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:56:30 AM, on 1/14/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Users\Program_Files\Run\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\RsFsa.exe
C:\WINNT\system32\RsSub.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\mqsvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Mixer.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINNT\System32\svchost.exe
C:\Hijackthis\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Users\Program_Files\Run\Adobe\Reader\reader_sl.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINNT\System32\CTSVCCDA.EXE (file missing)
O23 - Service: Visual Studio Debugger Proxy Service (DbgProxy) - Unknown owner - E:\Users\Program_Files\Run\Microfost Visual Studio net\Common7\Packages\Debugger\dbgproxy.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINNT\runservice.exe
O23 - Service: ptssvc - KODAK - E:\Users\Program_Files\Run\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\system32\ScsiAccess.EXE
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

SDfix log:


SDFix: Version 1.58

Sat 01/13/2007 - 10:07:02.09

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Safe Mode:

Checking Services:

Name:

icrss
wins

Path:

"C:\WINNT\system\icrss.exe"
%SystemRoot%\System32\wins.exe

icrss Deleted
wins Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File
Killing PID 188 'smss.exe'
Killing PID 240 'winlogon.exe'
Killing PID 240 'winlogon.exe'

Rebooting

Normal Mode:

Checking Files:


Files will be copied to Backups folder then removed:

C:\WINNT\RMDEVICE.EXE - Deleted
C:\WINNT\system32\i - Deleted
C:\WINNT\system32\rpcc.dll - Deleted



Alternate Stream Check:

C:\WINNT\system32
No streams found.
Final Check:

Remaining Services:
------------------


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with hidden attributes:

C:\NTDETECT.COM
C:\_Backup.RC\WINNT\CP0\ntdetect.com.rcd
C:\_Backup.RC\WINNT\CP1\ntdetect.com.rcd
C:\_Backup.RC\WINNT\CP2\ntdetect.com.rcd
C:\Documents and Settings\whiting_ts\Desktop\mydevice\Windows\irdadrv.dll
C:\WINNT\system32\urqqopn.dll
C:\WINNT\system32\yayaw.dll
C:\arcldr.exe
C:\arcsetup.exe
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\RECYCLER\S-1-5-21-1659004503-688789844-1060284298-1007\Dc52.exe
C:\CONFIG.SYS
C:\IO.SYS
C:\MSDOS.SYS
C:\NTBOOTDD.SYS
C:\WINNT\system32\mmf.sys

Finished

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:00 AM

Posted 14 January 2007 - 12:52 PM

Hi jubjub64,

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt.
***********

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.



Please post the contents of C:\vundofix.txt, ComboFix log and a fresh Hijackthis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 jubjub64

jubjub64
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 14 January 2007 - 07:22 PM

Here are the next set of logs. Thankyou for your help so far by the way.

VundoFix log:


VundoFix V6.3.2

Checking Java version...

Sun Java not detected
Scan started at 12:20:17 PM 1/14/2007

Listing files found while scanning....

C:\WINNT\system32\cfdpcrxs.dll
C:\WINNT\system32\urqqopn.dll
C:\WINNT\system32\vqaqkifv.dll
C:\WINNT\system32\wayay.bak1
C:\WINNT\system32\wayay.bak2
C:\WINNT\system32\wayay.ini
C:\WINNT\system32\wayay.ini2
C:\WINNT\system32\wbbhywwm.dll
C:\WINNT\system32\yayaw.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\urqqopn.dll
C:\WINNT\system32\urqqopn.dll Has been deleted!

Attempting to delete C:\WINNT\system32\vqaqkifv.dll
C:\WINNT\system32\vqaqkifv.dll Has been deleted!

Attempting to delete C:\WINNT\system32\wayay.bak1
C:\WINNT\system32\wayay.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\wayay.bak2
C:\WINNT\system32\wayay.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\wayay.ini
C:\WINNT\system32\wayay.ini Has been deleted!

Attempting to delete C:\WINNT\system32\wayay.ini2
C:\WINNT\system32\wayay.ini2 Has been deleted!

Attempting to delete C:\WINNT\system32\yayaw.dll
C:\WINNT\system32\yayaw.dll Has been deleted!

Performing Repairs to the registry.
Done!

ComboFix log:

"Whiting_TS" - Sun 01/14/2007 16:43:01 Service Pack 4
ComboFix 07-01-14.2 - Running from: "C:\Documents and Settings\whiting_ts\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-14 to 2007-01-14 ))))))))))))))))))))))))))))))))))


2007-01-14 12:20 <DIR> d-------- C:\VundoFix Backups
2007-01-13 17:01 <DIR> d-------- C:\DOCUME~1\WHITIN~1\DoctorWeb
2007-01-13 09:46 <DIR> d-------- C:\SDFix
2007-01-12 22:54 <DIR> d-------- C:\DOCUME~1\WHITIN~1\Application Data\Uniblue
2007-01-11 21:39 77,824 -ra------ C:\WINNT\system32\hpzids01.dll
2007-01-11 21:39 48,640 --a------ C:\WINNT\system32\hpzll4pi.dll
2007-01-11 20:47 <DIR> dr-hs---- C:\_Backup.RC
2007-01-11 20:41 12,592 --a------ C:\WINNT\system32\drivers\usbscan.sys
2007-01-11 18:30 <DIR> d-------- C:\DOCUME~1\WHITIN~1\PLUGINS
2007-01-11 16:26 <DIR> d-------- C:\Hijackthis
2007-01-10 22:37 <DIR> d-------- C:\WINNT\Windows Update Setup Files
2007-01-10 07:46 23,040 --a------ C:\WINNT\system32\crypts.dll
2007-01-01 23:19 <DIR> d-------- C:\Roxio Swap


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-14 16:33 1417 --ahs---- C:\WINNT\system32\mmf.sys
2007-01-14 11:28 -------- d-------- C:\Program Files\mozilla firefox
2007-01-10 00:01 -------- d-------- C:\DOCUME~1\WHITIN~1\Application Data\identities
2007-01-09 03:31 -------- d-------- C:\Program Files\peoplepc
2006-12-24 15:19 114 --a------ C:\DOCUME~1\WHITIN~1\Application Data\tempte.gui
2006-12-12 01:52 -------- d-------- C:\DOCUME~1\WHITIN~1\Application Data\scamguard
2006-11-25 14:20 -------- d-------- C:\Program Files\right hemisphere
2006-11-16 00:25 -------- d-------- C:\Program Files\microsoft location finder
2006-11-16 00:00 -------- d-------- C:\Program Files\microsoft activesync


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"C-Media Mixer"="Mixer.exe /startup"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Fix-It AV"="C:\\PROGRA~1\\VCOM\\SYSTEM~1\\MemCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{a5780613-492e-4a2a-a7fd-549610edf6cc}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
tapisrv REG_MULTI_SZ Tapisrv\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0

HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
WmdmPmSN



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070113-100153-816
O23 - Service: icrss manager 32bit (icrss) - Unknown owner - C:\WINNT\system\icrss.exe
backup-20070111-171839-357
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
backup-20070111-171839-723
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
backup-20070111-171839-780
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.peoplepc.com/websearch
backup-20070111-171839-859
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
backup-20070111-171741-347
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/trad3rp.cab
backup-20070111-171741-579
O16 - DPF: WebWorks Help 2.0 -
backup-20070111-171741-304
O15 - Trusted Zone: *.spbsoftwarehouse.com
backup-20070111-171741-182
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
backup-20070111-171741-628
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
backup-20070111-171741-259
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
backup-20070111-171741-181
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINNT\system32\lwxheyqj.dll",setvm
backup-20070111-171741-522
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Run\OFFICE11\EXCEL.EXE/3000
backup-20070111-171741-768
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
backup-20070111-171741-512
O4 - HKLM\..\Run: [RoxioDragToDisc] "E:\Users\Program_Files\Run\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
backup-20070111-171741-313
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
backup-20070111-171741-409
O4 - HKLM\..\Run: [QuickTime Task] "E:\users\program_files\run\QuickTime\qttask.exe" -atboottime
backup-20070111-171741-223
O4 - HKLM\..\Run: [C-Media Echo Control] e:\users\program_files\run\PCI Audio Applications\Bin\EchoCtrl.exe
backup-20070111-171741-437
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
backup-20070111-171741-894
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
Completion time: Sun 2007-01-14 16:48:30

HijakThis log:

Logfile of HijackThis v1.99.1
Scan saved at 4:56:05 PM, on 1/14/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\runservice.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Users\Program_Files\Run\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\RsFsa.exe
C:\WINNT\system32\RsSub.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\mqsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINNT\System32\tcpsvcs.exe
C:\Hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Users\Program_Files\Run\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1188992C-EE08-4568-A557-EC983E35C02B} - C:\WINNT\system32\yayaw.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINNT\system32\wbbhywwm.dll (file missing)
O2 - BHO: PeoplePC ScamGuard - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Users\Program_Files\Run\Adobe\Reader\reader_sl.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINNT\System32\CTSVCCDA.EXE (file missing)
O23 - Service: Visual Studio Debugger Proxy Service (DbgProxy) - Unknown owner - E:\Users\Program_Files\Run\Microfost Visual Studio net\Common7\Packages\Debugger\dbgproxy.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINNT\runservice.exe
O23 - Service: ptssvc - KODAK - E:\Users\Program_Files\Run\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\system32\ScsiAccess.EXE
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:00 AM

Posted 14 January 2007 - 08:07 PM

Hi jubjub64,

Before we start, you need to realise that you are missing one important program on that computer: An antivirus.

This is somewhat suicidal in today's digital world.

You need to install an antivirus program as soon as you can and run a complete scan of the computer.

I recommend you download and run the free
AntiVir or
AVG antivirus or
Avast

Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!



Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial


Click on start, then control panel, and then double-click on add/remove programs.
From within add/remove program uninstall the following (if they exist) by double-clicking on the following entries:
PeoplePC\Toolbar

*******************************************



In Normal Mode, select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.”

O2 - BHO: (no name) - {1188992C-EE08-4568-A557-EC983E35C02B} - C:\WINNT\system32\yayaw.dll (file missing)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINNT\system32\wbbhywwm.dll (file missing)
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll


*******************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

Don't use the windows start\search feature
Using Windows Explorer, find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.
Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)

C:\Program Files\PeoplePC\Toolbar\ <== folder

*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Finally, reboot to the Normal Mode and post a new Hijackthis log, and tell me how your computer is running.

Edited by SifuMike, 14 January 2007 - 08:08 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 jubjub64

jubjub64
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 14 January 2007 - 11:10 PM

The antivirus program that I use is VCom System Suite. It has virus and spyware protection and a firewall but one day the computer got used with the firewall turned off. It hasn't been able to get rid of any of these problems though.

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:00 AM

Posted 14 January 2007 - 11:17 PM

Ok, then ignore the install of the antivirus and proceed with the rest of the fix.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 jubjub64

jubjub64
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 16 January 2007 - 12:21 PM

Here is my latest Hijackthis log file after completing all the steps:

Logfile of HijackThis v1.99.1
Scan saved at 10:15:22 AM, on 1/16/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\runservice.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Users\Program_Files\Run\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\RsFsa.exe
C:\WINNT\system32\RsSub.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\mqsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
E:\Users\Program_Files\Run\Adobe\Reader\reader_sl.exe
C:\Hijackthis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Users\Program_Files\Run\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Users\Program_Files\Run\Adobe\Reader\reader_sl.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINNT\System32\CTSVCCDA.EXE (file missing)
O23 - Service: Visual Studio Debugger Proxy Service (DbgProxy) - Unknown owner - E:\Users\Program_Files\Run\Microfost Visual Studio net\Common7\Packages\Debugger\dbgproxy.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINNT\runservice.exe
O23 - Service: ptssvc - KODAK - E:\Users\Program_Files\Run\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\system32\ScsiAccess.EXE
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:00 AM

Posted 16 January 2007 - 01:22 PM

Hi jubjub64,

Your log looks clean! :thumbsup: Good job on the cleanup!

Let's reset you files so they are hidden and protected.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading deselect Show hidden files and folders.
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK


Let's clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.



Please read and follow
How did I get infected?, With steps so it does not happen again!
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 jubjub64

jubjub64
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 16 January 2007 - 10:29 PM

I don't seem to have a system restore tab in the properties window of "My Computer". Under the Advanced tab I have a Startup and Recovery button I can push but the window that opens up doesn't mention system restore specifically.

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:00 AM

Posted 16 January 2007 - 10:50 PM

Hi jubjub64,

Opps. :thumbsup: I forgot you are running Windows 2000 SP4

No way for you to do System Restore with that Operating System, so just ignore tha part.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 jubjub64

jubjub64
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 16 January 2007 - 11:12 PM

Thankyou soooo much for all your help. I was more than happy to make a donation.

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:00 AM

Posted 17 January 2007 - 12:51 PM

Thank you for the donation. I am glad I was able to help. I hope your computer continues to run smoothly for you :thumbsup:

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.

Edited by SifuMike, 17 January 2007 - 12:52 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users