[nissy]

Hi everyone; I know you must be tired of hearing about this winfixer problem and I was tempted to use other people's solutions, but I figured everyone's situation is unique in one way or the other. I have tried to do a general cleaup of my PC by removing unused programs and constantly cleaning up my temporary files, but nothing seems to help. Here is my HJT log. Thanks in advance for your help.

Logfile of HijackThis v1.99.1
Scan saved at 1:27:07 PM, on 9/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\locator.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\iisvers.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\AUNTIE~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [UbAm] C:\documents and settings\auntie ann\local settings\temp\UbAm.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Lt4l] C:\documents and settings\auntie ann\local settings\temp\Lt4l.exe
O4 - HKLM\..\Run: [ecYiWLzg] C:\documents and settings\auntie ann\local settings\temp\ecYiWLzg.exe
O4 - HKLM\..\Run: [b6z81CLN] C:\documents and settings\auntie ann\local settings\temp\b6z81CLN.exe
O4 - HKLM\..\Run: [o338b9hi] C:\documents and settings\auntie ann\local settings\temp\o338b9hi.exe
O4 - HKLM\..\Run: [vvDFlerX] C:\documents and settings\auntie ann\local settings\temp\vvDFlerX.exe
O4 - HKLM\..\Run: [oX3hRey] C:\documents and settings\auntie ann\local settings\temp\oX3hRey.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [iisvers] C:\WINDOWS\iisvers.exe
O4 - HKLM\..\Run: [NI.UWFX5] "C:\Documents and Settings\auntie Ann\Local Settings\Temporary Internet Files\Content.IE5\YL8FUPQ5\WinFixer2005ScannerInstall[1].exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AntiPopUp] C:\Program Files\AntiPopUp\AntiPopUp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - Startup: HotSync Manager.LNK = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - Unknown owner - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[Advertisements]

Hi Nissy and welcome to Geeks To Go

A fair mess here to clean up, lets put hijack this into a safer location shall we.

Please read the entire instructions through before proceeding with the recommendations

Double-click on the zip file containing the HijackThis.exe file. Select the HijackThis.exe, and hit the combination “Ctrl + C”.
Minimize the zipfolder, and go to My Computer. Double-click on C:/, then double-click on Program Files.

In the menu bar you’ll find “File”. Click it, then choose “New”, and then “Folder”.

Call this folder HijackThis. Double-click to open this – new – folder.
Now use the combination “Ctrl + V” to paste the HijackThis.exe into this folder. Now close all other windows, and double-click on the HijackThis.exe in the folder you’ve just created.

When that is complete, please run this tool.

Please download ewido security suite it is a free version of the program.

• Install ewido security suite
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
• Launch ewido, there should be an icon on your desktop, double-click it.
• The program will now open to the main screen.
• When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  
• You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
• The update will start and a progress bar will show the updates being installed.
  (the status bar at the bottom will display ("Update successful")

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido security suite.

Also run this tool.

Step 1:
Download the eScan Antivirus Toolkit Here. Save it to the Desktop, it is roughly 10MB in size.
Before running the program we need to update the signature files first in Step 2.

Step 2:
Updating the eScan Antivirus Toolkit with the latest files:

1.) Double-click on the mwav.exe file saved to the Desktop; it will extract the program files to a new folder called Kaspersky at the root of the C:\drive. (C:\Kaspersky.)

2.) Double-click on My Computer, double-click on the Hard Drive (usually the C:\drive), find and double-click on the Kaspersky folder; inside the Kaspersky folder, find and double-click on the kavupd.exe file. Double-clicking on the kavupd.exe file opens the Windows command prompt (DOS screen) and updates the program with all the latest signature files.

3.) After the update is complete, the bottom of the command prompt will read "Press any key to continue", click any key to close the screen.

Please do not run a scan with the eScan Antivirus Toolkit utility yet.

Step 3:
Please reboot into Safe Mode. Detailed instructions on how to boot into Safe Mode Here.

Step 4:
From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions:

1.) To run the eScan Antivirus Toolkit program, look for a file called mwavscan.com inside the C:\Kaspersky folder.

2.) Double-click on the mwavscan.com file; this will open the eScan program.

3.) With the eScan interface on your Desktop, make sure that these boxes under Scan Option are checked : Memory, Registry, Startup Folders, System Folders, Services.

4.) Check the Drive box, this will give you access to the other Drive box (radio button) below it, check this second Drive box as well, now a large window across from the second Drive box appears. In this window use the drop-down arrow and choose the drive letter of your hard drive, usually C:\.

5.) Below these boxes, make sure the box Scan All Files is checked, not Program Files.

6.) Click the Scan Clean button and let the utility run until it completes a thorough scan of your hard drive. When the scan has finished it will read Scan Completed. Do not Exit the tool just yet.

7.) Open a new NotePad file (click on "Start" >> "All Programs" >>"Accessories" >> "NotePad"), then Copy/Paste the content of the Virus Log Information window into that file, and save it. eScan also creates a full log inside the C:\Kaspersky folder (named mwav.log), but it is huge and cannot be posted on a forum. Please post the content of the log you have saved (into NotePad) in your next reply, once all steps are completed.

Reboot your computer into normal Windows.

When this is all completed send me the ewido results, the escan results and a new hijack log please.

[John_L]

Hi Nissy and welcome to Geeks To Go

A fair mess here to clean up, lets put hijack this into a safer location shall we.

Please read the entire instructions through before proceeding with the recommendations

Double-click on the zip file containing the HijackThis.exe file. Select the HijackThis.exe, and hit the combination “Ctrl + C”.
Minimize the zipfolder, and go to My Computer. Double-click on C:/, then double-click on Program Files.

In the menu bar you’ll find “File”. Click it, then choose “New”, and then “Folder”.

Call this folder HijackThis. Double-click to open this – new – folder.
Now use the combination “Ctrl + V” to paste the HijackThis.exe into this folder. Now close all other windows, and double-click on the HijackThis.exe in the folder you’ve just created.

When that is complete, please run this tool.

Please download ewido security suite it is a free version of the program.

• Install ewido security suite
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
• Launch ewido, there should be an icon on your desktop, double-click it.
• The program will now open to the main screen.
• When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  
• You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
• The update will start and a progress bar will show the updates being installed.
  (the status bar at the bottom will display ("Update successful")

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido security suite.

Also run this tool.

Step 1:
Download the eScan Antivirus Toolkit Here. Save it to the Desktop, it is roughly 10MB in size.
Before running the program we need to update the signature files first in Step 2.

Step 2:
Updating the eScan Antivirus Toolkit with the latest files:

1.) Double-click on the mwav.exe file saved to the Desktop; it will extract the program files to a new folder called Kaspersky at the root of the C:\drive. (C:\Kaspersky.)

2.) Double-click on My Computer, double-click on the Hard Drive (usually the C:\drive), find and double-click on the Kaspersky folder; inside the Kaspersky folder, find and double-click on the kavupd.exe file. Double-clicking on the kavupd.exe file opens the Windows command prompt (DOS screen) and updates the program with all the latest signature files.

3.) After the update is complete, the bottom of the command prompt will read "Press any key to continue", click any key to close the screen.

Please do not run a scan with the eScan Antivirus Toolkit utility yet.

Step 3:
Please reboot into Safe Mode. Detailed instructions on how to boot into Safe Mode Here.

Step 4:
From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions:

1.) To run the eScan Antivirus Toolkit program, look for a file called mwavscan.com inside the C:\Kaspersky folder.

2.) Double-click on the mwavscan.com file; this will open the eScan program.

3.) With the eScan interface on your Desktop, make sure that these boxes under Scan Option are checked : Memory, Registry, Startup Folders, System Folders, Services.

4.) Check the Drive box, this will give you access to the other Drive box (radio button) below it, check this second Drive box as well, now a large window across from the second Drive box appears. In this window use the drop-down arrow and choose the drive letter of your hard drive, usually C:\.

5.) Below these boxes, make sure the box Scan All Files is checked, not Program Files.

6.) Click the Scan Clean button and let the utility run until it completes a thorough scan of your hard drive. When the scan has finished it will read Scan Completed. Do not Exit the tool just yet.

7.) Open a new NotePad file (click on "Start" >> "All Programs" >>"Accessories" >> "NotePad"), then Copy/Paste the content of the Virus Log Information window into that file, and save it. eScan also creates a full log inside the C:\Kaspersky folder (named mwav.log), but it is huge and cannot be posted on a forum. Please post the content of the log you have saved (into NotePad) in your next reply, once all steps are completed.

Reboot your computer into normal Windows.

When this is all completed send me the ewido results, the escan results and a new hijack log please.

[nissy]

Hi John,

Thank you so much for your reply; I just got through executing your help instructions and here are my three new logs;

1. EWIDO RESULTS:-

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:17:39 AM, 9/25/2005
+ Report-Checksum: 5C9CF86F

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
[3132] C:\WINDOWS\iisvers.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Documents and Settings\auntie Ann\Cookies\auntie ann@247realmedia[1].txt -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Documents and Settings\auntie Ann\Cookies\auntie ann@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\auntie Ann\Cookies\auntie ann@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\auntie Ann\Cookies\auntie ann@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\auntie Ann\Cookies\auntie [email protected][2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@paypopup[2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Guest\Local Settings\Temp\A0A1.tmp/jawa32.ocx -> Spyware.Suggestor : Cleaned with backup
C:\Documents and Settings\Guest\Local Settings\Temp\B1B1.tmp/jawa32.ocx -> Spyware.Suggestor : Cleaned with backup
C:\Documents and Settings\Guest\Local Settings\Temp\D1D1.tmp/jawa32.ocx -> Spyware.Suggestor : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\WINDOWS\iisvers.exe -> Spyware.Hijacker.Generic : Cleaned with backup


::Report End


2. ESCAN VIRUS LOG

File C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\G024H4C5\31194[1].htm infected by "Exploit.HTML.IframeBof" Virus. Action Taken: File Renamed.

File C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\MPKZAXCF\WinFixer2005ScannerInstall[1].exe tagged as not-a-virus:Downloader.Win32.Agent.c. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042541.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042542.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042543.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042544.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042545.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042546.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042547.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042548.exe tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042549.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042550.exe tagged as not-a-virus:AdWare.Esyndic.a. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042551.dll tagged as not-a-virus:AdWare.Esyndic.a. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042552.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042553.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042554.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042555.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042556.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042557.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042558.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042559.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042560.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042561.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042562.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042563.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042564.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042565.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042566.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042567.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042568.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042569.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042570.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042571.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042572.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042573.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042574.dll tagged as not-a-virus:AdWare.MediaTickets.c. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042575.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042576.dll tagged as not-a-virus:AdWare.SaveNow.ab. No Action Taken.

File C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP295\A0042577.dll tagged as not-a-virus:AdWare.Midadle.e. No Action Taken.


3. HIJACKTHIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 9:02:29 AM, on 9/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ecYiWLzg] C:\documents and settings\auntie ann\local settings\temp\ecYiWLzg.exe
O4 - HKLM\..\Run: [o338b9hi] C:\documents and settings\auntie ann\local settings\temp\o338b9hi.exe
O4 - HKLM\..\Run: [oX3hRey] C:\documents and settings\auntie ann\local settings\temp\oX3hRey.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AntiPopUp] C:\Program Files\AntiPopUp\AntiPopUp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - Startup: HotSync Manager.LNK = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - Unknown owner - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Thanks again for your help!
Nissy.

[John_L]

Hi Nissy

Looking good lets bash on shall we? Here's what we need to do next.

We will be doing this portion of the fix in safe mode, please print these instructions out or save to a notepad file. There will be no using this page for reference while in safe mode.

I need one or two things from you before hand, make sure this is done please.

Windows XP

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

If your not sure how to get to safe mode here is a link to a tutorial.

Reboot your computer in safe mode

Please boot into safe mode, when there fire up hijack this, press scan only and place checks next to these.

O4 - HKLM\..\Run: [ecYiWLzg] C:\documents and settings\auntie ann\local settings\temp\ecYiWLzg.exe
O4 - HKLM\..\Run: [o338b9hi] C:\documents and settings\auntie ann\local settings\temp\o338b9hi.exe
O4 - HKLM\..\Run: [oX3hRey] C:\documents and settings\auntie ann\local settings\temp\oX3hRey.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - Unknown owner - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE (file missing)

Close all browsers and click on fix this with hijack this.

Find your way to these files and delete if found.

C:\documents and settings\auntie ann\local settings\temp\ecYiWLzg.exe<---This file
C:\documents and settings\auntie ann\local settings\temp\o338b9hi.exe<---This file
C:\documents and settings\auntie ann\local settings\temp\oX3hRey.exe<---This file

Boot back to normal mode and get this application and run it please.

http://home.comcast....anup/index.html

When this is all done please show me a new hijack log.

[nissy]

Thanks for the quick reply John,

I was able to fix the four logs with Hijack this, but could not find the three temp files under documents and settings. Here is my new HJY log;

Logfile of HijackThis v1.99.1
Scan saved at 7:58:22 PM, on 9/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AntiPopUp] C:\Program Files\AntiPopUp\AntiPopUp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - Startup: HotSync Manager.LNK = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - Unknown owner - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thank You,
Nissy.

[nissy]

Hi John,

I had earlier told you that the cleanup link wouldn't work but I just tried it again and it worked; Here is the new HJT log:-


Logfile of HijackThis v1.99.1
Scan saved at 5:15:04 PM, on 9/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AntiPopUp] C:\Program Files\AntiPopUp\AntiPopUp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - Startup: HotSync Manager.LNK = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - Unknown owner - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks,
Nissy.

Edited by nissy, 26 September 2005 - 03:22 PM.

[John_L]

Hi Nissy

You have a interesting file in here that i would like to see if we can find.

This is the file.

O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll

Because there is no path to it, I'm going to post an idea or two that you can use to look for it.

Please download FileFind from Atribune.
Unzip the file and save it to your desktop.

To run FileFind, please do the following:

• Click on FileFind.exe
• In the box labeled "Enter the directory to search"
  • Enter Drive eg.. C:\
• In the box labeled "Enter the file to search"
  • Enter the file or use *.(file extention) to search for the file(s)
• Now click on the "Find" button
• Once the utility has found the files click on "Export"
• This will save a text file to your C:\ drive as "Export.txt"
• Double click on Export.txt, copy and paste this information in your next post

Please see if you can find

mqrt.dll

And do as posted above please.

[nissy]

Hi John,

These are the mqrt.dll files that I found: -

C:\WINDOWS\ServicePackFiles\i386\mqrt.dll - 177152 Bytes
C:\WINDOWS\system32\mqrt.dll - 177152 Bytes

Thanks,
Nissy.

[John_L]

Hello again Nissy

Good job, getting those files dug up

Now i need you to ake those two files please and send them here.

[email protected]

There's a fellow on the other side that would like to analize those files and see what makes them tick.

When I get a response from him, i will be back to post some more instructions.

[nissy]

Hi John,

I just emailed the files as you had asked me to,

Thanks,
nissy.

[John_L]

Hi Nissy

Just talked to the fellow those files were going to they never made it

Can you pm me your email address and send those files again. I just want to see if they show up and i can use your email to track them from his side.

[John_L]

Hi Nissy

Just got confirmation from the fellow analizing those files there ok

So since its been a day or two can you please send a new hijack log.

[nissy]

Hi John,

Here is my new HJT log;

Logfile of HijackThis v1.99.1
Scan saved at 12:41:03 PM, on 10/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AntiPopUp] C:\Program Files\AntiPopUp\AntiPopUp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - Startup: HotSync Manager.LNK = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - Unknown owner - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks,
Nissy.

[John_L]

Hi Nissy

Well i can see nothing else in this log that is causing problems, so by my account your log is clean Congrats!!!!!

Since your issues have been addressed and you are ready to travel the net again, I will just give you a few ideas on how to stay safe out there. Best of all these programs are all readily available on the net for free

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

More info and download is available at:

Spyware Blaster Spyware Guard

Might I suggest the following Free Spyware programs for added security, you can download them at the following links. These programs work great for detection:

Ad-aware SE--Adaware Tutorial

Spybot S&D--Spybot Tutorial

Antiviruses play an important role in keeping your computer safe and worry free while using the net. *NOTE* Only one antivirus must be allowed to run on your computer, as having two or more running can and will cause conflicts.

AVG Avast

Firewalls are also a must in any good prevention :

Zone Alarm Sygate Kerio

There are different browsers available on the net, other than Internet Explorer, we believe!! these are better for security purposes :

Firefox Opera

You must stay on top of your updates at all times, for the above mentioned applications.

It is vitally important to stay on top of your critical updates provided by microsoft.

This can be accessed by going to Windows Updates and following the prompts.

To add to the performance of your computer, i suggest a weekly maintenance program. Run this tool. Ccleaner

Lastly a second opinion on the Antivirus that you have chosen. I suggest running these online virus scans periodically, just to make sure that the av is doing a proper job, of keeping you safe :

Rav Online Scan Housecall Online Scan Panda Activescan

Housecall Java Online Scan<---For those who use Firefox

And finally a little How did I get infected in the first place ? (by Mr. Tony Klein and dvk01)

Good luck and safe surfing

[nissy]

Hi John,

Thank you so much for your help! I will definitely try to safe using your ideas.

Nissy.