Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

isearch[RESOLVED]

Started by getfalmer , Apr 24 2005 05:27 AM

This topic is locked

#1
getfalmer

Posted 24 April 2005 - 05:27 AM

New Member

Member
5 posts

Hi I run adaware SE and other things. It gets rid of the spyware biut then it comes back. I get things like 'online dating' 'cheap holidays' etc appear as icons on my desktop.
Here is my Hijack this scan:
Logfile of HijackThis v1.99.1
Scan saved at 11:58:51, on 4/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINNT\system32\nsvsvc\nsvsvc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Documents and Settings\Mr Tullett\Desktop\spyware remiovers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Nsv] C:\WINNT\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: EZ Firewall.lnk = C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.co...UC/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O20 - Winlogon Notify: Control Panel - C:\WINNT\system32\lv2s09f7e.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

Many thanks.
Neil.

#2
Metallica

Posted 24 April 2005 - 05:52 AM

Spyware Veteran

GeekU Moderator
33,101 posts

First:
If running, kill the follow processes in Task Manager:
desktop.exe
edmond.exe
ffisearch.exe

Second:
Launch Notepad.
Copy/paste the text in the box below into a new text file.
Save it as fixme.reg on your Desktop

REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID\{5b4ab8e2-6dc5-477a-b637-bf3c1a2e5993}]

[-HKEY_CLASSES_ROOT\CLSID\{950238fb-c706-4791-8674-4d429f85897e}]

[-HKEY_CLASSES_ROOT\mfiltis]

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{5b4ab8e2-6dc5-477a-b637-bf3c1a2e5993}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\desktop search]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ffis]

[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\legacy_delprot]

[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\delprot]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\DisableWindowsUpdateAccess]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoWindowsUpdate"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoWindowsUpdate"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate"=dword:00000000
"AUOptions"=dword:00000000

[-HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDevMgrUpdate"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"NoUpdateCheck"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate]
"DisableWindowsUpdateAccess"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoWindowsUpdate"=dword:00000000

Locate fixme.reg on your Desktop and double-click on it.

You will receive a prompt similar to: "Do you wish to merge the information into the registry?".

Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".

Third:
Execute the following commands:
Start -> Run -> regsvr32 /u C:\Windows\isrvs\mfiltis.dll
Start -> Run -> regsvr32 /u C:\Windows\isrvs\msdbhk.dll
Start -> Run -> regsvr32 /u C:\Windows\isrvs\sysupd.dll

Fourth:
Reboot your computer into Safe Mode* (stay in Safe Mode* until directed otherwise)

Delete the following files/folders (if present) in C:\Windows\ or C:\Windows\Systme32\
delprot.ini
delprot.log
desktop.exe
isrvs (delete the entire folder)

Fifth:
Delete the following file:
C:\windows\system32\drivers\delprot.sys

Sixth:
Delete the following files/folder (if present) in C:\Documents and Settings\\Desktop\
anal exploits.url
big [bleep] school for 2.95.url
evidence eraser.lnk
popup blocker stops popups.lnk
spyware avenger.lnk
virus hunter security.lnk
your platinum visa.lnk

Seventh:
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Run HiJackThis.(note: If any R* items do not appear in Safe Mode, re-run HiJackThis in Normal Mode and remove them after you finish removing these items.)
<** insert HJT items **>

Close all windows except HijackThis and click Fix checked.

While still in Safe Mode*, delete the following: (you may need to show hidden files**)
(Files specified without a full path will be lcoated in C:\Windows\ or C:\Windows\System32\)
<** insert items to delete **>

*How to Boot into Safe mode: »service1.symantec.com/SUPPORT/tsgeninf..
**Show Hidden and System files and folders: »www.xtra.co.nz/help/0,,4155-1916458,00..

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode.

Eighth:
Download DelDomains.inf from here:

www.mvps.org/winhelp2002/DelDomains.inf

Right-click on the deldomains.inf file and select 'Install'

When its finished your IE Zones wil lbe reset. That will make it necessary to re-install protection using SpywareBlaster and to re-install IE/Spyads, if you use them.

Last:
Run HiJackThis again and post a new log in this thread.

Regards,

Pieter

#3
getfalmer

Posted 25 April 2005 - 03:45 PM

New Member

Topic Starter
Member
5 posts

Thanks for your help, Metallica.
Couldn't get all the stuff you told me to do to work eg run> regsvr32 /u C:\Windows\isrvs\mfiltis.dll
It just says 'which program do you want it to open with?'
Probably me being thick. That's why I haven't reposted my new HJ log.
But what I have deleted so far seems to have helped.
Cheers mate! :tazz:

#4
Metallica

Posted 26 April 2005 - 02:29 AM

Spyware Veteran

GeekU Moderator
33,101 posts

Glad to hear that. Do post another log so I can see if it's all gone.

Regards,

Pieter

#5
getfalmer

Posted 26 April 2005 - 12:27 PM

New Member

Topic Starter
Member
5 posts

Hi Pieter.
Here is my latest Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 19:17:02, on 4/26/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINNT\system32\nsvsvc\nsvsvc.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Nsv] C:\WINNT\system32\nsvsvc\nsvsvc.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: EZ Firewall.lnk = C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.co...UC/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O20 - Winlogon Notify: RunOnceEx - C:\WINNT\system32\lvjq0915e.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

Cheers,
Neil.

#6
Metallica

Posted 26 April 2005 - 12:44 PM

Spyware Veteran

GeekU Moderator
33,101 posts

Good thing we decided to do a last check.

Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [Nsv] C:\WINNT\system32\nsvsvc\nsvsvc.exe

Reboot once more into safe mode and delete:
C:\WINNT\system32\nsvsvc <= entire folder

Regards,

Pieter

#7
getfalmer

Posted 27 April 2005 - 03:37 PM

New Member

Topic Starter
Member
5 posts

Hi Pieter.
I followed your advice on getting rid of nscvc.
Here is the i2mfix log followed by my latest HJ log.

L2Mfix 1.03

Running From:
C:\Documents and Settings\Mr Tullett\Desktop\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\Mr Tullett\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Mr Tullett\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1012 'explorer.exe'
Killing PID 1012 'explorer.exe'
Error 0x5 : Access is denied.
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 296 'rundll32.exe'
Killing PID 296 'rundll32.exe'
Error 0x5 : Access is denied.
Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINNT\system32\DSCPSAPI.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\fpl0033me.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\fpp4037qe.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\gppsl3771.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\h8l20i3oe8.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\i624lgfq162e.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\iOsrecst.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\madsrv32.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mvencode.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\nbmkcert.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\nkmkcert.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\q6nulg5916.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\t88ulil918q.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINNT\system32\DSCPSAPI.DLL
Successfully Deleted: C:\WINNT\system32\DSCPSAPI.DLL
deleting: C:\WINNT\system32\fpl0033me.dll
Successfully Deleted: C:\WINNT\system32\fpl0033me.dll
deleting: C:\WINNT\system32\fpp4037qe.dll
Successfully Deleted: C:\WINNT\system32\fpp4037qe.dll
deleting: C:\WINNT\system32\gppsl3771.dll
Successfully Deleted: C:\WINNT\system32\gppsl3771.dll
deleting: C:\WINNT\system32\h8l20i3oe8.dll
Successfully Deleted: C:\WINNT\system32\h8l20i3oe8.dll
deleting: C:\WINNT\system32\i624lgfq162e.dll
Successfully Deleted: C:\WINNT\system32\i624lgfq162e.dll
deleting: C:\WINNT\system32\iOsrecst.dll
Successfully Deleted: C:\WINNT\system32\iOsrecst.dll
deleting: C:\WINNT\system32\madsrv32.dll
Successfully Deleted: C:\WINNT\system32\madsrv32.dll
deleting: C:\WINNT\system32\mvencode.dll
Successfully Deleted: C:\WINNT\system32\mvencode.dll
deleting: C:\WINNT\system32\nbmkcert.dll
Successfully Deleted: C:\WINNT\system32\nbmkcert.dll
deleting: C:\WINNT\system32\nkmkcert.dll
Successfully Deleted: C:\WINNT\system32\nkmkcert.dll
deleting: C:\WINNT\system32\q6nulg5916.dll
Successfully Deleted: C:\WINNT\system32\q6nulg5916.dll
deleting: C:\WINNT\system32\t88ulil918q.dll
Successfully Deleted: C:\WINNT\system32\t88ulil918q.dll
deleting: C:\WINNT\system32\guard.tmp
Successfully Deleted: C:\WINNT\system32\guard.tmp

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: DSCPSAPI.DLL (152 bytes security) (deflated 6%)
adding: fpl0033me.dll (152 bytes security) (deflated 5%)
adding: fpp4037qe.dll (152 bytes security) (deflated 5%)
adding: gppsl3771.dll (152 bytes security) (deflated 4%)
adding: h8l20i3oe8.dll (152 bytes security) (deflated 5%)
adding: i624lgfq162e.dll (152 bytes security) (deflated 4%)
adding: iOsrecst.dll (152 bytes security) (deflated 6%)
adding: madsrv32.dll (152 bytes security) (deflated 6%)
adding: mvencode.dll (152 bytes security) (deflated 4%)
adding: nbmkcert.dll (152 bytes security) (deflated 5%)
adding: nkmkcert.dll (152 bytes security) (deflated 4%)
adding: q6nulg5916.dll (152 bytes security) (deflated 5%)
adding: t88ulil918q.dll (152 bytes security) (deflated 4%)
adding: guard.tmp (152 bytes security) (deflated 6%)
adding: clear.reg (152 bytes security) (deflated 68%)
adding: echo.reg (152 bytes security) (deflated 10%)
adding: desktop.ini (152 bytes security) (deflated 15%)
adding: direct.txt (152 bytes security) (stored 0%)
adding: lo2.txt (152 bytes security) (deflated 81%)
adding: readme.txt (152 bytes security) (deflated 49%)
adding: test.txt (152 bytes security) (deflated 73%)
adding: test2.txt (152 bytes security) (deflated 48%)
adding: test3.txt (152 bytes security) (deflated 48%)
adding: test5.txt (152 bytes security) (deflated 48%)
adding: xfind.txt (152 bytes security) (deflated 65%)
adding: backregs/05FA9656-82E0-43CF-A5A0-4B61DCD16438.reg (152 bytes security) (deflated 70%)
adding: backregs/12164990-8E7A-448D-ADD0-A7A8E4358BFB.reg (152 bytes security) (deflated 70%)
adding: backregs/12632696-1296-4FA2-A47C-ADB7D438D071.reg (152 bytes security) (deflated 70%)
adding: backregs/2198FF2F-B130-4A21-A610-CE6A90571EA8.reg (152 bytes security) (deflated 70%)
adding: backregs/23459D8A-4D3D-4703-979C-8D61A26DD8A6.reg (152 bytes security) (deflated 70%)
adding: backregs/26776AA2-F9F6-4B13-99E8-D90F7DF687AC.reg (152 bytes security) (deflated 70%)
adding: backregs/59A6D4CE-91C1-4123-B7D4-B45FC51E9059.reg (152 bytes security) (deflated 70%)
adding: backregs/7616D420-3418-4611-A2F6-0460D4E31BE8.reg (152 bytes security) (deflated 70%)
adding: backregs/799B5C0B-7FEF-49A2-809E-D6D99B9D21E2.reg (152 bytes security) (deflated 69%)
adding: backregs/9DE1C81F-C489-4812-80B7-61E186B398BC.reg (152 bytes security) (deflated 70%)
adding: backregs/9E13E90A-1619-4137-A722-3D3CCF56BDDA.reg (152 bytes security) (deflated 70%)
adding: backregs/B152A65A-0066-4B2A-B036-66735CADF3FC.reg (152 bytes security) (deflated 70%)
adding: backregs/EA7AEDF0-8480-4302-B4B7-C5A83D1EC796.reg (152 bytes security) (deflated 70%)
adding: backregs/EB210932-CF83-40FC-94DF-E5D547C8AF37.reg (152 bytes security) (deflated 70%)
adding: backregs/FBAF5028-C9B2-46B6-A293-259E72C044DD.reg (152 bytes security) (deflated 71%)
adding: backregs/FC7B4CAB-32C5-49B5-8219-F5AFCC3E4596.reg (152 bytes security) (deflated 70%)
adding: backregs/shell.reg (152 bytes security) (deflated 74%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: DSCPSAPI.DLL
deleting local copy: fpl0033me.dll
deleting local copy: fpp4037qe.dll
deleting local copy: gppsl3771.dll
deleting local copy: h8l20i3oe8.dll
deleting local copy: i624lgfq162e.dll
deleting local copy: iOsrecst.dll
deleting local copy: madsrv32.dll
deleting local copy: mvencode.dll
deleting local copy: nbmkcert.dll
deleting local copy: nkmkcert.dll
deleting local copy: q6nulg5916.dll
deleting local copy: t88ulil918q.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

The following are the files found:
****************************************************************************
C:\WINNT\system32\DSCPSAPI.DLL
C:\WINNT\system32\fpl0033me.dll
C:\WINNT\system32\fpp4037qe.dll
C:\WINNT\system32\gppsl3771.dll
C:\WINNT\system32\h8l20i3oe8.dll
C:\WINNT\system32\i624lgfq162e.dll
C:\WINNT\system32\iOsrecst.dll
C:\WINNT\system32\madsrv32.dll
C:\WINNT\system32\mvencode.dll
C:\WINNT\system32\nbmkcert.dll
C:\WINNT\system32\nkmkcert.dll
C:\WINNT\system32\q6nulg5916.dll
C:\WINNT\system32\t88ulil918q.dll
C:\WINNT\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{59A6D4CE-91C1-4123-B7D4-B45FC51E9059}"=-
"{12632696-1296-4FA2-A47C-ADB7D438D071}"=-
"{9DE1C81F-C489-4812-80B7-61E186B398BC}"=-
"{12164990-8E7A-448D-ADD0-A7A8E4358BFB}"=-
"{EB210932-CF83-40FC-94DF-E5D547C8AF37}"=-
"{2198FF2F-B130-4A21-A610-CE6A90571EA8}"=-
"{23459D8A-4D3D-4703-979C-8D61A26DD8A6}"=-
"{05FA9656-82E0-43CF-A5A0-4B61DCD16438}"=-
"{FBAF5028-C9B2-46B6-A293-259E72C044DD}"=-
"{9E13E90A-1619-4137-A722-3D3CCF56BDDA}"=-
"{7616D420-3418-4611-A2F6-0460D4E31BE8}"=-
"{799B5C0B-7FEF-49A2-809E-D6D99B9D21E2}"=-
"{B152A65A-0066-4B2A-B036-66735CADF3FC}"=-
"{FC7B4CAB-32C5-49B5-8219-F5AFCC3E4596}"=-
"{26776AA2-F9F6-4B13-99E8-D90F7DF687AC}"=-
"{EA7AEDF0-8480-4302-B4B7-C5A83D1EC796}"=-
[-HKEY_CLASSES_ROOT\CLSID\{59A6D4CE-91C1-4123-B7D4-B45FC51E9059}]
[-HKEY_CLASSES_ROOT\CLSID\{12632696-1296-4FA2-A47C-ADB7D438D071}]
[-HKEY_CLASSES_ROOT\CLSID\{9DE1C81F-C489-4812-80B7-61E186B398BC}]
[-HKEY_CLASSES_ROOT\CLSID\{12164990-8E7A-448D-ADD0-A7A8E4358BFB}]
[-HKEY_CLASSES_ROOT\CLSID\{EB210932-CF83-40FC-94DF-E5D547C8AF37}]
[-HKEY_CLASSES_ROOT\CLSID\{2198FF2F-B130-4A21-A610-CE6A90571EA8}]
[-HKEY_CLASSES_ROOT\CLSID\{23459D8A-4D3D-4703-979C-8D61A26DD8A6}]
[-HKEY_CLASSES_ROOT\CLSID\{05FA9656-82E0-43CF-A5A0-4B61DCD16438}]
[-HKEY_CLASSES_ROOT\CLSID\{FBAF5028-C9B2-46B6-A293-259E72C044DD}]
[-HKEY_CLASSES_ROOT\CLSID\{9E13E90A-1619-4137-A722-3D3CCF56BDDA}]
[-HKEY_CLASSES_ROOT\CLSID\{7616D420-3418-4611-A2F6-0460D4E31BE8}]
[-HKEY_CLASSES_ROOT\CLSID\{799B5C0B-7FEF-49A2-809E-D6D99B9D21E2}]
[-HKEY_CLASSES_ROOT\CLSID\{B152A65A-0066-4B2A-B036-66735CADF3FC}]
[-HKEY_CLASSES_ROOT\CLSID\{FC7B4CAB-32C5-49B5-8219-F5AFCC3E4596}]
[-HKEY_CLASSES_ROOT\CLSID\{26776AA2-F9F6-4B13-99E8-D90F7DF687AC}]
[-HKEY_CLASSES_ROOT\CLSID\{EA7AEDF0-8480-4302-B4B7-C5A83D1EC796}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{DB03B82E-D91D-4C24-9AFF-190EB185635D}</IDone>
<IDtwo>VT00</IDtwo>
<VERSION>200</VERSION>
****************************************************************************

Logfile of HijackThis v1.99.1
Scan saved at 22:29:17, on 4/27/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: EZ Firewall.lnk = C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.co...UC/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

Many thanks for your help.

Neil.

#8
Metallica

Posted 28 April 2005 - 05:24 AM

Spyware Veteran

GeekU Moderator
33,101 posts

Excellent job. :tazz:

A bit of spring cleaning.
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R3 - Default URLSearchHook is missing

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present } Remark about the O6 entries:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present } If you or the system administrator set those to prevent other users from changing the setttings, leave them alone

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Reboot and you should be good to go.

Regards,

Pieter

#9
getfalmer

Posted 28 April 2005 - 01:03 PM

New Member

Topic Starter
Member
5 posts

Thanks Pieter.

You are a hero. My system runs like a dream now thanks to you.

I would buy you a beer if I could. :tazz:

Once again, cheers, mate.

#10
Metallica

Posted 28 April 2005 - 01:20 PM

Spyware Veteran

GeekU Moderator
33,101 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

Please do have a look at my site about removing and preventing spyware.

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.