View Full Version : Gary - I need your help please!
Gary, do you know what this screen means? It's not the first time I have had this come up and I went and downloaded Fixblast and have now run it twice but both times came up with nothing.
My computer has been acting really slowly lately. This is probably, in part, due to the fact that my hard drive is less than one Gb away from being choc a bloc! I am trying to hang in there for a while until I can afford to buy a whole new system - I have had this one for almost five years now. Perhaps I should also tell you that my Norton Antivirus expired a two months ago before I went on holiday and I still haven't got a new one. Whoops - don't scold me for that one! Also our apartment block is on a communal Internet connection. I have no idea how it works...all I know is that sometimes it is fast and sometimes it is slow. Am I in big trouble now and should I start backing up furiously?
Usually when the computer starts crawling at a snails pace then this screen comes up but then if I hit Refresh it will redirect me again. The last two days, however, it has been more offline than online. I am starting to get worried. Any advice. Thanks Gary or, in fact, anyone who might be able to explain to me what is going on.
Sincerely
Syd
CJ Swartz 02-06-2007, 01:26 AM Syd,
While waiting for Gary or one of the other knowledgeable folks to come by, take a look at this thread --
http://www.retouchpro.com/forums/hardware/15747-gary-anybody-help-please.html
If you can backup really important files, do it -- not just because there's a problem, but because we always should do it.
There are free programs to scan for spyware and viruses -- while you're waiting, take a look at those and run one. Read what Gary says about the Hijack log -- wait for him if you have any questions about how to do anything, but start thinking about whether you've added any software lately, hardware, downloaded any funny email or programs from the internet, etc. -- something that might help Gary figure out what might be going on.
BillFrey 02-06-2007, 01:39 AM Hi Syd,
Your screen shot shows a url for my.yahoo.com. That's suspicious to begin with. Who would know how much bandwidth you are using and why would they warn you about it if it were a virus/worm?
Looks like a pop up ad that hit it's target.
Always good advice to keep your system free of virus and use a firewall.
CJ Swartz 02-06-2007, 01:45 AM Bill -- just to clarify -- it is Syd who has the problem. :(
Good advice about the firewall etc., but it may too late for that right now.
BillFrey 02-06-2007, 01:54 AM oops, sorry, CJ. When I scrolled to see the op's name I didn't realize the posts were in reverse order.
I'll fix my reply. Apologies!
chrishoggy 02-06-2007, 02:18 AM first of all you need to get your system protected and scanned, below is a free anti-virus and a free firewall. Both work very well and have never failed me.
Fire wall
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp
Anti-Virus
http://free.grisoft.com/doc/5390/lng/us/tpl/v5#avg-anti-virus-free
Then the next thing I would do is get shut of the Yahoo toolbar you have installed in IE6. Toolbars are never a good thing IMHO. Run windows updates, and make sure you are fully up to date with those. If you can, update to IE7 ,as it is a bit more secure than IE6.
If you can backup your files to CD/DVD and delete them from your system, this will help speed up your system. If you do that, defrag your hard drive after, to clean up the file placement on the drive.
CJ, Chris and Bill thanks so much for your advice. You guys are great. CJ, I am following Gary's advice in that thread right now and hopefully will have something to post for him soon. Chris, I do have Zonealarm and I will look into that Antivirus programme. My colleague at work mentioned AVG. It is free and, according to him, very good too. I had no idea that the toolbar might cause problems. I wouldn't even know how to remove it. Bill, I would never have thought to look at the URL. It looked so official to me and I just kept on wondering who or what Bandwidth Manager was!
Thanks guys.
Sincerely Syd
Cameraken 02-06-2007, 07:22 AM Hi Syd
Sorry to hear you are having problems. I am sure that Gary will need to see your HJT log. You could upload it whilst waiting for Gary if you want to save a little time.
Here are the instructions to post your log.
Click here (http://downloads.malwareremoval.com/HJTsetup.exe) to download HJTsetup.exe, and save it to your desktop. Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
Copy and paste the log here
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
Ken.
Thanks so much Ken. Ok I have done everything as you have instructed and here are the results:
Logfile of HijackThis v1.99.1
Scan saved at 下午 10:29:04, on 2007/2/6
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Wintab32.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE
D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\conime.exe
D:\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - D:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Dr.eye WebPage Translation - {92B255FE-94E2-4BCA-958D-3926CE38913F} - D:\PROGRA~1\Inventec\Dreye\DreyeMT\DREYEI~1.DLL
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3500 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE /P26 "EPSON Stylus CX3500 Series" /O6 "USB001" /M "Stylus CX3500"
O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O8 - Extra context menu item: 使用影音傳送帶下載 - D:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - D:\Program Files\Xi\NetTransport 2\NTAddList.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=Http://www.synnex.com.tw/
O15 - Trusted Zone: http://office.microsoft.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{B02DC897-A387-4AE6-AD76-E98EA833946F}: NameServer = 168.95.1.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - D:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: Wintab32 - Unknown owner - D:\WINDOWS\system32\Wintab32.exe
I haven't fixed anything just like you advised me to. Thanks so much for your help.
Sincerely Syd
Right click My Computer, then click Manage.
This will bring up the Computer Management window.
Expand System Tools then click Event Viewer.
Double click System in the Right Hand pane.
Look for any Error indications (white cross on red background).
If found, double click the entry and an Event Property window will open.
We need details from that window, particularly the Event ID.
_________________
Ok, I did this too and I have only one error: ID 4321
Syd
Cameraken 02-06-2007, 08:12 AM Hi Syd
You do have some nasties in there.
I am still in training at the Malware University and not yet allowed to help you, but I would suggest you do nothing more until Gary replies or he will need a fresh HJT log.
I shall watch with interest as Gary fixes this.
Ken.
Thanks Ken. I won't touch anything. I am too scared too! What I am doing right now is downloading the AVG Antivirus programme but I am not going to install it or uninstall Norton or anything like that. I am going to wait for Gary first. It is 11:15 at night over here so I will probably be going to bed in the next 45 mins or so and, therefore, might not receive any advice you or anyone else might give until tomorrow morning.
Sincerely Syd
Gary Richardson 02-07-2007, 08:20 AM Hi Syd,
Sorry I'm a bit late getting to this, had a few problems lately that needed dealing with, so just got on line.
Before we get started I've a couple of questions.
1. Is Hinet, Chungwa Telecom Co. Ltd. Taipei, Taiwan anything to do with your ISP (Internet Service Provider).
2. How is Synnex concerned with your PC.
I see some Oriental Translation programmes running on your computer, so I'm guessing the first is legit, but I'll wait your answers.
You're using your D:\ drive as your default drive, so my auto systems weren't able to be used and I had to research your log manually, so that added a little time.
OK, had a look through your log, and it's mostly clean, however there's an item showing that I'm interested in.
I'd like you to check a file(s) for Viruses.
Go to VirusTotal (www.virustotal.com) or Jotti's (http://virusscan.jotti.org/), and scan the following file(s).
D:\WINDOWS\system32\conime.exe
Click on the Browse button at the top of the screen.
Browse to the file.
Click OK.
Click Send, and the file will upload to VirusTotal / Jotti, where it will be scanned by several anti-virus programmes.
After a while, a window will open, with details of what the scans found.
Note details of any viruses found.
Post me the details please.
It's quite possible you have Rootkitted processes running on your computer, so I'd like you to run some scans for me.
Download GMER (http://www.gmer.net/gmer.zip) and unzip it to your Desktop. (It will create a folder GMER)
Alternate Download Site (http://gmer.thespykiller.co.uk/)
Disconnect from the Internet, and close all running programmes.
There is a small chance this programme may crash your computer, so save any work you have open.
Open the GMER folder, and double click gmer.exe
Let the gmer.sys driver load if asked.
If it gives you a warning at programme start about rootkit activity and asks if you want to run a scan ..... click OK.
If no warning:
Click Rootkit tab.
Ensure that All the boxes to the right of the program are checked except Show All.
Click Scan.
Once scan is finished click Copy.
Click Start > Run then type Notepad.exe then click OK.
This will open a Notepad file.
Hit Ctrl+V to paste log into it.
Save the log to your Desktop.
Reconnect to internet and post the log please.
Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner)
Note: You must be using Internet Explorer as your browser as it will be necessary to install an Active X component to your computer.
Important If you have previously used Kaspersky Online Scanner (before 8th Aug 2006), you will have to uninstall the old version using Add/Remove Programs in Control Panel before you can use the new version.
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings.
In the scan settings make sure that the following are selected:
Scan using the following Anti-Virus database:
Extended (If available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK.
Now under select a target to scan select My Computer.
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post please, along with the GMER log, and the details from Jotti/Virus Total.
Post each log separately, so we don't exceed the post size limiter here.
Note: The Kaspersky online scanner is not yet fully compatible with IE7. You may get returned to a window without the Accept/Decline buttons after allowing the ActiveX control. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.
Gary, firstly thank you so much for responding in such a detailed way. You're a star!
Before we get started I've a couple of questions.
1. Is Hinet, Chungwa Telecom Co. Ltd. Taipei, Taiwan anything to do with your ISP (Internet Service Provider).
2. How is Synnex concerned with your PC.
In response to 1 - Yes, Hinet is our ISP and Chungwa is the local Telecom company.
Gary I am not sure what Synnex is. It sounds like something to do with Norton...or is that Symantec?
Ok, the rest I will get onto right away. I am not sure how much I will be able to finish tonight (it is already after 12) but hopefully I should have everything posted by tomorrow afternoon.
Thanks again for your willingness to help Gary.
Sincerely Syd
Gary Richardson 02-07-2007, 09:32 AM Synnex is the website that this entry on your computer connects to.
O14 - IERESET.INF: START_PAGE_URL=Http://www.synnex.com.tw/
It is what IE uses when it resets to default conditions, usually it is set by the computer manufacturer or machine administrator, but it can be used by an attacker for malicious purposes.
In this case Synnex appears to be the retailer for your computer, (didn't find this info 1st time round), so the entry is likely to be legit. Just like to confirm things like this with the owner of the log I'm looking at.
Always happy to help where I can, I'm monitoring this thread, so I'll be notified when you next post.
Ok Gary here is the first of your requests. Sorry I didn't know how to post the log except by hitting print sceen and taking it into photoshop.
I have already downloaded gmer (sounds a bit like Khmer Rouge - lol) and will set about scanning immediately. If it takes a long time I will likely only post the results in the morning.
Thanks Gary
Syd
Gary Richardson 02-07-2007, 02:27 PM GMER is a Rootkit scanner, its name come from its creator, a Polish programmer Przemyslaw Gmerek, it's one of the best.
Screen print of the Virus Total page is fine.
OK, looks like the conime.exe file is the legit windows file, had to check as there is a Remote access programme BFGhost which uses a file of the same name, as far as I know in the same location (information I found wasn't too specific on this point).
BillFrey 02-07-2007, 03:03 PM I was curious and googled and found this info that might apply.
I would also like to add that not every version of conime.exe is a trojan! conime.exe is also installed along with windows xp in the C:\WINDOWS\system32 folder, I also have this file and it turns out it's the ''Microsoft Console IME (Input Method Editor)''. It executes whenever a command prompt is opened, so it seems that it's used for Asian language input support in the command prompt.
Gary Richardson 02-07-2007, 03:32 PM Thanks Bill, I was aware of the legit Windows file, but where there is any doubt that it may have been replaced with a malicious file I always like to check by having the file scanned as Syd did.
Ok Gary here is the GMER report:
GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-02-08 01:08:52
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT 8119FC20 ZwConnectPort
SSDT \??\D:\WINDOWS\system32\vsdatant.sys ZwOpenProcess
SSDT FFA458C0 ZwOpenThread
---- Devices - GMER 1.0.12 ----
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [EFA06E90] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [EFA06E90] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [EFA06E90] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [EFA06E90] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [EFA06E90] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [EFA06E90] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [EFA06E90] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [EFA06E90] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [EFA06E90] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [EFA06E90] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_CREATE [EFA00B50] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_CLOSE [EFA00B50] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_DEVICE_CONTROL [EFA00B50] vsdatant.sys
Device \Driver\AFD \Device\Afd FastIoDeviceControl [EFA00510] vsdatant.sys
---- EOF - GMER 1.0.12 ----
Thanks for your help Gary. I am doing the Kaspersky scan right now but it looks like it is going to take ages and it has slowed my computer down to a snail's pace. I will post the results later. Thanks Syd
Gary Richardson 02-08-2007, 12:50 AM OK, that's clean as well, vsdatant is the driver for Zone Alarm (didn't need to look that one up as I have ZA on my box).
Yes a Kaspersky scan is definitely an exercise in patience and can sometimes take hours, however it is very thorough and gives a very good log, also it doesn't "clean" anything so we don't have to worry about it doing any damage by removing something we'd later wish it hadn't.
Ok Gary here it is. It took a while and it seems that my computer is indeed infected. What do you think I should do? I went and downloaded the AVG Free Antivirus Programme off the Net on Tuesday but as of yet haven't installed it . My Norton is still operational even though it can't be updated bcause it has expired. I know I will have to uninstall Norton before I install the new one. Anyway I won't do anything until I have hear from you. As always thanks so much for your time and patience Gary.
Sincerely Syd
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, February 08, 2007 9:11:49 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 8/02/2007
Kaspersky Anti-Virus database records: 265913
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 119526
Number of viruses found: 13
Number of infected objects: 29 / 0
Number of suspicious objects: 5
Duration of the scan process: 04:19:53
Infected Object Name / Virus Name / Last Action
C:\Program Files\Norton AntiVirus\Quarantine\021540D6.class Infected: Trojan.Java.ClassLoader.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\02186AD3.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\000C2914.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\2F0D2860.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\26C147E1.class Infected: Trojan.Java.ClassLoader.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\2F774C4B.htm Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\2F911C2E.htm Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\30DE56C0.htm Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\30F252AA.htm Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\3137445E.htm Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\373A53AA.class Infected: Trojan.Java.ClassLoader.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\73203422.class Infected: Trojan.Java.ClassLoader.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\3BA412CE.class Infected: Trojan.Java.ClassLoader.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\43AB3F35.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\4EA754D3.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\34B64E0B.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\06145256.class Infected: Trojan.Java.ClassLoader.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\06177C52.class Infected: Trojan.Java.ClassLoader.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\048E4A54.htm Infected: Trojan-Downloader.JS.IstBar.k skipped
C:\goldcodec.997.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.baz skipped
C:\goldcodec.997.exe/stream Infected: Trojan-Downloader.Win32.Zlob.baz skipped
C:\goldcodec.997.exe NSIS: infected - 2 skipped
C:\goldcodec.997.exe UPX: infected - 2 skipped
C:\goldcodec.997.exe PE_Patch.UPX: infected - 2 skipped
D:\WINDOWS\system32\config\system.LOG Object is locked skipped
D:\WINDOWS\system32\config\software.LOG Object is locked skipped
D:\WINDOWS\system32\config\default.LOG Object is locked skipped
D:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
D:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
D:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SECURITY Object is locked skipped
D:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
D:\WINDOWS\system32\config\SYSTEM Object is locked skipped
D:\WINDOWS\system32\config\DEFAULT Object is locked skipped
D:\WINDOWS\system32\config\SAM Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
D:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
D:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
D:\WINDOWS\system32\h323log.txt Object is locked skipped
D:\WINDOWS\Temp\ZLT0657f.TMP Object is locked skipped
D:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
D:\WINDOWS\Sti_Trace.log Object is locked skipped
D:\WINDOWS\wiaservc.log Object is locked skipped
D:\WINDOWS\wiadebug.log Object is locked skipped
D:\WINDOWS\SchedLgU.Txt Object is locked skipped
D:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
D:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
D:\WINDOWS\Internet Logs\DESKTOP.ldb Object is locked skipped
D:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
D:\WINDOWS\NDNuninstall6_98.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\user\NTUSER.DAT.LOG Object is locked skipped
D:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\user\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\user\NTUSER.DAT Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SPStart.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SPPolicy.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SPStop.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
D:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
D:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
D:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
D:\Program Files\Norton AntiVirus\Quarantine\2924786E.htm Infected: Trojan-Clicker.HTML.IFrame.b skipped
D:\Program Files\Norton AntiVirus\Quarantine\2927226A.jar/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
D:\Program Files\Norton AntiVirus\Quarantine\2927226A.jar/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
D:\Program Files\Norton AntiVirus\Quarantine\2927226A.jar/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
D:\Program Files\Norton AntiVirus\Quarantine\2927226A.jar ZIP: infected - 3 skipped
D:\Program Files\Norton AntiVirus\Quarantine\2927226A.jar CryptFF: infected - 3 skipped
D:\Program Files\Norton AntiVirus\Quarantine\292E7663.htm Infected: Trojan-Clicker.HTML.IFrame.b skipped
D:\Program Files\Norton AntiVirus\Quarantine\18825CC9.exe Infected: Trojan-Downloader.Win32.Agent.aey skipped
D:\Program Files\Yahoo!\YPSR\Quarantine\ppqFB.tmp\ACM.dll Infected: not-a-virus:AdTool.Win32.WhenU.g skipped
Scan process completed.
Gary Richardson 02-08-2007, 09:56 AM Hi Syd,
Kaspersky logs are always scary at first view, but actually your system is not so bad as the log looks. Many of the flagged items are locked because the parent process is still active, and thus they cannot be scanned. Can't see any Malicious processes among them, for the most part they are logs and Dat files for legit processes.
There are also a number of Quarantined items in Norton, these are encrypted and as such are no threat to your computer. But as you're wanting to remove Norton we'll delete them anyway.
There are however a couple of things that need looking at.
Download Pocket Killbox (http://www.downloads.subratam.org/KillBox.zip) and install it to your Desktop. Do not run it yet.
First copy the filepaths in the box below to your clipboard, by highlighting them and pressing Ctrl+C.
C:\goldcodec.997.exe
D:\WINDOWS\NDNuninstall6_98.exe
D:\Program Files\Yahoo!\YPSR\Quarantine\ppqFB.tmp\ACM.dll
Open Killbox and check a mark in the "RadioBox" which says Delete On Reboot
Click File > Paste from Clipboard.
Click All Files button.
Click on the Red button with a Cross, and answer Yes when prompted to Backup and Delete the pasted files.
Answer Yes when prompted to Reboot now.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, download and run missingfilesetup.exe (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe). Then try Killbox again.
Now delete the contents of this folder (in bold).
C:\Program Files\Norton AntiVirus\Quarantine <- Do not delete the folder itself.
Download CCleaner (http://www.ccleaner.com/) to clean temp files from your computer.
Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click Next to accept the default location.
Uncheck Add CCleaner Yahoo Toolbar and use CCleaner from within IE
Click Install then Finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
On the Windows tab, under Internet Explorer uncheck Cookies if you do not want them deleted.
If you use either Firefox or Mozilla, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla.
Click the Options icon at the left side of the window, then click on Advanced.
Uncheck Only delete files in Windows Temp folders older than 48 hours.
Click the Cleaner icon on the left side of the window, then click Run Cleaner to run the program.
Caution: It is not recommended that you ever use the Issues feature unless you are very familiar with the registry as it has been known to find legitimate items.
After CCleaner has completed its process, click Exit.
As you say your definitions for Norton are no longer current, the programme is no use at all, and you should remove it from your computer. Uninstalling Norton is known to give problems, so to best avoid these.
Go to HERE (http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/2006031710323113?Open&docid=2005033108162039&nsf=tsgeninfo.nsf&view=docid&pid=2005033108162039&pkb=tsgeninfo), downloading the Removal Tool to your computer (the one that comes with your copy of Norton is usually not very good).
Disconnect from the internet before Uninstalling Norton.
Double click on the tool to remove Norton from your computer.
Once uninstalled Reboot your computer before installing the AVG Anti-Virus you have already downloaded.
Now run a new HJT scan on your computer and post the log back here (there will probably STILL be components for Norton that need removing from your computer).
I could also do with an Uninstall list from you.
Creating an Uninstall List
Open HJT, and click on Config, followed by Misc Tools.
Click on Open Uninstall Manager, and then click on Save List.
This will create a file uninstall_list.txt and prompt you to save it to your HJT folder.
Save it please, and copy it to your next post.
We'll probably need to do another Kaspersky scan to make sure we've removed those items successfully, but I'd wait until we've got rid of Norton properly from your Computer before we do that.
Ok Gary...whew! that was another marathon at the computer. I downloaded Killbox and deleted those three files. I then downloaded CCleaner and did exactly as you said except I couldn't find this:
Uncheck Only delete files in Windows Temp folders older than 48 hours.
So I ran the scan anyway and it deleted 168mb Wow! I have always just deleted my temporary files by right clicking on my C: drive and then clicking the clean button. And when I finished I checked back on your notes and found that the above button was under the Advanced Tab so I went and unchecked it. I ran scan again but it said there was nothing to be deleted. Do you think it will make a big difference?
Ok, then I downloaded the Removal Tool and that all went smoothly. (An aside here Gary: thank you for you very detailed, meticulously set out exceptionally clear instructions - oh boy! does Microsoft need someone like you) The only thing it didn't remove was the desktop icon. I suppose I could just drag that into the recycle bin.
Next I installed AVG. I did as I was prompted. (If I sound very obedient here it is not, necessarily, that I always do as I am told. It is just that, in the matter of computers, I make no pretences about my ignorance). It asked me if I wanted to scan right there and then which I did but it was taking ages (you get to choose between a fast scan which uses more memory and a slow scan which uses less and, seeing that from now on I will be doing a daily scan - you have reformed me - I chose the slower one) and so I stopped the scan. Moreover I wanted to get you the next HJT log before I have to go out.
And here it is. Next I will do the Uninstall log as you said and then perhaps while I am out this afternoon I will let AVG do a scan but, don't worry, I won't let it fix anything. I wait until I hear from you later.
Regards Syd
Logfile of HijackThis v1.99.1
Scan saved at 上午 11:54:41, on 2007/2/9
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Wintab32.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE
D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\Program Files\Grisoft\AVG Free\avgcc.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - D:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Dr.eye WebPage Translation - {92B255FE-94E2-4BCA-958D-3926CE38913F} - D:\PROGRA~1\Inventec\Dreye\DreyeMT\DREYEI~1.DLL
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3500 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE /P26 "EPSON Stylus CX3500 Series" /O6 "USB001" /M "Stylus CX3500"
O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download all by Net Transport - D:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - D:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=Http://www.synnex.com.tw/
O15 - Trusted Zone: http://office.microsoft.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{B02DC897-A387-4AE6-AD76-E98EA833946F}: NameServer = 168.95.1.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - D:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: Wintab32 - Unknown owner - D:\WINDOWS\system32\Wintab32.exe
Gary
Here is the Uninstall list as requested. Nope, it looks like Symantec is good and truly gone. Even I can tell that. Thanks to you I have become quite and expert on these things of late! LOL Don't worry I won't be giving out any advice!
Here is the log and I am running AVG at the moment. I shall wait for your instructions and perhaps run Kaspersky again tonight before I go to bed.
Sincerely Syd
ACDSee 5.0 PowerPack
Adobe Acrobat 5.0
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Illustrator CS
Adobe Photoshop 7.0
Adobe Photoshop CS
Adobe Photoshop CS2
Adobe Stock Photos 1.0
Adobe SVG Viewer 3.0
ArcSoft PhotoImpression
AVG Free Edition
CCleaner (remove only)
Curves 2 Demo
Dr.eye 譯典通 6.0 (專業版)
Dr.eye 譯典通 6.0 (專業版) 辭典和辭書
eDonkey2000
EPSON CardMonitor
EPSON Copy Utility
EPSON Copy Utility 3
EPSON Photo Print
EPSON PhotoQuicker3.5
EPSON PhotoStarter3.1
EPSON PRINT Image Framer Tool2.1
EPSON Printer Software
EPSON Scan
EPSON Smart Panel
EPSON TWAIN 5
EPSON Web-To-Page
ESCX3500 Reference Guide
ESCX3500 Software Guide
GML Matting 0.1
HijackThis 1.99.1
iTunes
Kaspersky Online Scanner
KnockOut 2
Macromedia Shockwave Player
Microsoft Office Word 2003 Step by Step
Microsoft Office XP Professional with FrontPage
Microsoft Office XP Web Components
MSN Messenger 7.5
Neat Image v5.0 Pro+
Nero 6 Ultra Edition
Net Transport 1.93.276 with FTP Transport 0.91
Pando
Photo Resize Magic 1.0
PIF DESIGNER2.1
PowerDVD
QuickGamma 2.0.0.3
QuickTime
Random Word Generator
Realtek AC'97 Audio
ScanToWeb
SiS 650GX
Spybot - Search & Destroy 1.4
TuneUp Utilities 2006
USB Tablet Driver
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 安全性更新 (KB911565)
Windows Media Player 10 安全性更新 (KB917734)
Windows Media Player 6.4 安全性更新 (KB925398)
Windows Media Player 安全性更新 (KB911564)
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB886677
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
Windows XP 安全性更新 (KB890046)
Windows XP 安全性更新 (KB893066)
Windows XP 安全性更新 (KB893756)
Windows XP 安全性更新 (KB896358)
Windows XP 安全性更新 (KB896422)
Windows XP 安全性更新 (KB896423)
Windows XP 安全性更新 (KB896424)
Windows XP 安全性更新 (KB896428)
Windows XP 安全性更新 (KB896688)
Windows XP 安全性更新 (KB899587)
Windows XP 安全性更新 (KB899588)
Windows XP 安全性更新 (KB899591)
Windows XP 安全性更新 (KB900725)
Windows XP 安全性更新 (KB901017)
Windows XP 安全性更新 (KB901190)
Windows XP 安全性更新 (KB901214)
Windows XP 安全性更新 (KB902400)
Windows XP 安全性更新 (KB904706)
Windows XP 安全性更新 (KB905414)
Windows XP 安全性更新 (KB905749)
Windows XP 安全性更新 (KB905915)
Windows XP 安全性更新 (KB908519)
Windows XP 安全性更新 (KB908531)
Windows XP 安全性更新 (KB911280)
Windows XP 安全性更新 (KB911562)
Windows XP 安全性更新 (KB911567)
Windows XP 安全性更新 (KB911927)
Windows XP 安全性更新 (KB912812)
Windows XP 安全性更新 (KB912919)
Windows XP 安全性更新 (KB913446)
Windows XP 安全性更新 (KB913580)
Windows XP 安全性更新 (KB914388)
Windows XP 安全性更新 (KB914389)
Windows XP 安全性更新 (KB916281)
Windows XP 安全性更新 (KB917159)
Windows XP 安全性更新 (KB917344)
Windows XP 安全性更新 (KB917422)
Windows XP 安全性更新 (KB917953)
Windows XP 安全性更新 (KB918439)
Windows XP 安全性更新 (KB918899)
Windows XP 安全性更新 (KB919007)
Windows XP 安全性更新 (KB920213)
Windows XP 安全性更新 (KB920214)
Windows XP 安全性更新 (KB920670)
Windows XP 安全性更新 (KB920683)
Windows XP 安全性更新 (KB920685)
Windows XP 安全性更新 (KB921398)
Windows XP 安全性更新 (KB921883)
Windows XP 安全性更新 (KB922616)
Windows XP 安全性更新 (KB922760)
Windows XP 安全性更新 (KB922819)
Windows XP 安全性更新 (KB923191)
Windows XP 安全性更新 (KB923414)
Windows XP 安全性更新 (KB923689)
Windows XP 安全性更新 (KB923694)
Windows XP 安全性更新 (KB923980)
Windows XP 安全性更新 (KB924191)
Windows XP 安全性更新 (KB924270)
Windows XP 安全性更新 (KB924496)
Windows XP 安全性更新 (KB925454)
Windows XP 安全性更新 (KB925486)
Windows XP 安全性更新 (KB926255)
Windows XP 安全性更新 (KB929969)
Windows XP 更新 (KB894391)
Windows XP 更新 (KB896727)
Windows XP 更新 (KB898461)
Windows XP 更新 (KB900485)
Windows XP 更新 (KB910437)
Windows XP 更新 (KB916595)
Windows XP 更新 (KB920872)
Windows XP 更新 (KB922582)
World Machine 1.25 Basic Edition (remove only)
Yahoo! Anti-Spy
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo!奇摩捷徑列
ZoneAlarm
綜合所得稅結算電子申報繳稅系統
Gary Richardson 02-09-2007, 01:18 AM Post 1 of 2
Hi Syd,
Well as expected Norton didn't come out entirely cleanly, so we've got a service that needs removing.
First we'll need to disable Spybot's Tea-Timer facility, as it will interfere with what we're trying to do.
To disable Spybot S&D TeaTimer
Run Spybot-S&D
Go to the Mode menu, and make sure Advanced Mode is selected.
On the left hand side, choose Tools -> Resident
Uncheck Resident TeaTimer and OK any prompts.
Restart your computer.
OK, now to get down to removing the service.
Click Start > Run now type sc stop "Symantec Core LC" click OK.
Click Start > Run now type sc delete "Symantec Core LC" click OK.
Note: There is a space between sc and stop/delete, and a space between stop/delete and "Symantec Core LC"
Also note the "" and the spaces in the service name, they are important.
Now run a scan with HJT, when it is finished check the following item.
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Now close all open Windows and click Fix Checked to remove it.
Now find and delete the following folders (in bold).
D:\Program Files\Common Files\Symantec Shared
D:\Program Files\Symantec (Note: Second folder may be named differently, but will be readily identifiable as a Norton/Symantec folder.)
Re-enable Spybot Tea-Timer.
To enable Spybot S&D TeaTimer
Run Spybot-S&D
Go to the Mode menu, and make sure Advanced Mode is selected.
On the left hand side, choose Tools -> Resident
Check Resident TeaTimer and OK any prompts.
Now can you run another Kaspersky scan please, and send me the log for that and a new HJT log please.
Looking through your Uninstall list at the moment, if I find anything of concern I'll post further instructions.
Gary Richardson 02-09-2007, 01:40 AM Post 2 of 2
Hi Syd,
OK looked through your Uninstall list.
I see you've got eDonkey2000 installed on your machine. P2P programmes in general are not a good idea from a security point of view, many of them come "packaged" with other undesirable programs (eDonkey is one of these), and even the "clean" packages are unsafe.
You are downloading programs from uncertified "servers" that you have no way to check, and a large amount of malware is spread this way.
My advice is to Uninstall eDonkey2000 using Add/Remove Programs in Control Panel.
If you really feel you just have to have a P2P program, check this page for details of unpackaged "clean" applications. http://p2p.malwareremoval.com/
The last entry in your Uninstall list is just a series of ??????????, this is probably because it is using Oriental Characters (Windows defaults to ? when it can't read the character), any idea what it might be? (Probably OK, but best to check as Malware sometimes uses this method as a means to avoid detection).
Gary you're a star for spending so much time on this. I really appreciate it. Thank you so much.
I opened the Advanced mode in Spybot and went to Tools>Resident but found that the Tea Timer was unchecked already! Don't know how that happened as it definitely isn't anything I would have fiddled with before. Anyway, so as there was no need to restart my computer I went straight to Run and executed the two commands you told me to. Then I did and HJT log but I couldn't find the entry you told me to look for. Just incase I am being a real idiot and it is staring me right in the face and I can't see it, I have included the HJT log for you to look at.
Will take your advice and remove eDonkey.
The last entry in the Uninstall log is a programme for submitting Income Tax online. It is in Chinese so you wouldn't have been able to read the characters. In fact there is quite a lot of Chinese in the Uninstall Log. My browser and Windows are all in Chinese so all those updates and service packs are too.
Hee is the HJT log for you to check. I have no idea where that entry is.
I will start the Kaspersky scan now. Oh, and I ran AVG this afternoon and it found two viruses. It Found and deleted two Viruses. I didn't ask it to delete: it just did that on its own. Unfortunately you can't seem save it as a log but I will type the details for you here. I think the one is just the entry for the virus that Killbox deleted. So that is pretty is pretty good isn't it. It even deletes the reference to the virus! It makes me feel quite confident.
Object Name: goldcodec.997.exe
Object Path : D:\!KillBox\
Discovery : Trojan Horse Downloader.Zlob.DX
File size ; 50.57 KB (51779 bytes)
Object Name: A0048698.exe
Object Path : C:\System Voume Information\_restore{D341 39E 4-9BE4-4AEC
Discovery : Virus identified worm/Generic.VF
File size : 46.5 KB (47616 bytes)
sincerely Syd
Logfile of HijackThis v1.99.1
Scan saved at 下午 10:12:29, on 2007/2/9
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Wintab32.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\Program Files\Grisoft\AVG Free\avgcc.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\conime.exe
D:\HJT\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - D:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Dr.eye WebPage Translation - {92B255FE-94E2-4BCA-958D-3926CE38913F} - D:\PROGRA~1\Inventec\Dreye\DreyeMT\DREYEI~1.DLL
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3500 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE /P26 "EPSON Stylus CX3500 Series" /O6 "USB001" /M "Stylus CX3500"
O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [UNINST1] rundll32 D:\DOCUME~1\user\LOCALS~1\Temp\UninstManager.dll,UninstallFinalizeFromNonMsiCaller {AC76BA86-0000-0000-0000-000000000000}
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download all by Net Transport - D:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - D:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=Http://www.synnex.com.tw/
O15 - Trusted Zone: http://office.microsoft.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{B02DC897-A387-4AE6-AD76-E98EA833946F}: NameServer = 168.95.1.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - D:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: Wintab32 - Unknown owner - D:\WINDOWS\system32\Wintab32.exe
Gary Richardson 02-09-2007, 08:57 AM OK,
Seems the registry entry was removed when we removed the service (HJT is not always 100% reliable in this regard), so no problem there.
The viruses found were as follows.
1. Was the backup file created by Killbox when you removed it, it is encrypted so no risk to you, the fact that AVG removed it is no problem as we're highly unlikely to want to restore it.
2. The other shows an infected restore point. Some infections contaminate your System Restore points. I usually wait till I'm sure your computer is clean before cleaning out your restore points, they can't infect you unless you perform a System Restore. Best to leave them till the end, just on the highly unlikely case that we screw something up, better an infected RetouchPRO than no RetouchPRO. No problem that AVG disinfected that entry.
Latest HJT log looks clean.
Can you run a new Kaspersky scan for me please, just so I can make sure everything's come off cleanly.
Ok Gary ran Kaspersky last night and this is what it came up with. It still found a whole lot but they all seem to be quarantined or locked so I suppose they are no threat?
I have also had the guy from the ADSL company around this morning (because my computer has just being going offline at will and I thought it might be related to some virus) but it seems my wireless connection box (the receiver thingy) might not be stable. Anyway he didin't have a spare with him ( and of course when he was here it acted fine) but said if it continued I should phone him again and he will bring a replacement.
I will do another HJT scan and post the results immediately.
Sincerely Syd
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, February 10, 2007 8:22:55 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 9/02/2007
Kaspersky Anti-Virus database records: 266463
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 105423
Number of viruses found: 9
Number of infected objects: 16 / 0
Number of suspicious objects: 5
Duration of the scan process: 03:22:36
Infected Object Name / Virus Name / Last Action
C:\Program Files\Norton AntiVirus\Quarantine\021540D6.class Infected: Trojan.Java.ClassLoader.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\02186AD3.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\000C2914.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\2F0D2860.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\26C147E1.class Infected: Trojan.Java.ClassLoader.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\2F774C4B.htm Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\2F911C2E.htm Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\30DE56C0.htm Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\30F252AA.htm Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\3137445E.htm Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\373A53AA.class Infected: Trojan.Java.ClassLoader.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\73203422.class Infected: Trojan.Java.ClassLoader.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\3BA412CE.class Infected: Trojan.Java.ClassLoader.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\43AB3F35.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\4EA754D3.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\34B64E0B.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\06145256.class Infected: Trojan.Java.ClassLoader.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\06177C52.class Infected: Trojan.Java.ClassLoader.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\048E4A54.htm Infected: Trojan-Downloader.JS.IstBar.k skipped
D:\WINDOWS\system32\config\system.LOG Object is locked skipped
D:\WINDOWS\system32\config\software.LOG Object is locked skipped
D:\WINDOWS\system32\config\default.LOG Object is locked skipped
D:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
D:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
D:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SECURITY Object is locked skipped
D:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
D:\WINDOWS\system32\config\SYSTEM Object is locked skipped
D:\WINDOWS\system32\config\DEFAULT Object is locked skipped
D:\WINDOWS\system32\config\SAM Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
D:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
D:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
D:\WINDOWS\system32\h323log.txt Object is locked skipped
D:\WINDOWS\Temp\ZLT06d1e.TMP Object is locked skipped
D:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
D:\WINDOWS\Sti_Trace.log Object is locked skipped
D:\WINDOWS\wiaservc.log Object is locked skipped
D:\WINDOWS\wiadebug.log Object is locked skipped
D:\WINDOWS\SchedLgU.Txt Object is locked skipped
D:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
D:\WINDOWS\SoftwareDistribution\EventCache\{A7735457-24AE-46A2-A21F-CEF090824478}.bin Object is locked skipped
D:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
D:\WINDOWS\Internet Logs\DESKTOP.ldb Object is locked skipped
D:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\user\NTUSER.DAT.LOG Object is locked skipped
D:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\user\Local Settings\History\History.IE5\MSHist012007021020070211\index.dat Object is locked skipped
D:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\user\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\user\NTUSER.DAT Object is locked skipped
D:\!KillBox\ACM.dll Infected: not-a-virus:AdTool.Win32.WhenU.g skipped
D:\!KillBox\NDNuninstall6_98.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
Scan process completed.
Gary here is the HJT scan. Many thanks Syd
Logfile of HijackThis v1.99.1
Scan saved at 上午 11:13:58, on 2007/2/10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Wintab32.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\System32\alg.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
D:\WINDOWS\system32\conime.exe
D:\WINDOWS\system32\taskmgr.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\HJT\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - D:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Dr.eye WebPage Translation - {92B255FE-94E2-4BCA-958D-3926CE38913F} - D:\PROGRA~1\Inventec\Dreye\DreyeMT\DREYEI~1.DLL
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3500 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE /P26 "EPSON Stylus CX3500 Series" /O6 "USB001" /M "Stylus CX3500"
O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download all by Net Transport - D:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - D:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=Http://www.synnex.com.tw/
O15 - Trusted Zone: http://office.microsoft.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - D:\WINDOWS\system32\ZONELABS\vsmon.exe
Gary Richardson 02-10-2007, 01:25 AM Hi Syd,
Far as I can see your Computer is clear of any infection. I can't guarantee that you won't get the warning windows on your browser, but I can say with some confidence that it is not caused by any hidden infection that you may have.
It is of course possible that you have a new form of Rootkit that isn't detected by GMER, but that likelihood is very remote as the writer of GMER keeps it very much up to date with the latest Rootkit techniques.
OK, lets do a little tidying up, then I'll give you a list of things you can do to secure your computer. You've already done some of them, but read through the list and attend to any you may have missed.
Right, first thing is to delete these folders (in bold).
D:\!KillBox
C:\Program Files\Norton AntiVirus
You can also delete the Killbox executable Killbox.exe you won't be needing it further. Killbox is a very powerful programme and if used inappropriately can do a lot of damage.
Now to secure your system.
THESE STEPS ARE VERY IMPORTANT
Lets reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to clean the restore points.
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.
Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE, NOTon a regular basis
Updating Windows and Internet Explorer
IMPORTANT: You need to update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you're running Microsoft Office, or any portion thereof, go to Microsoft's Office Update site and make sure you have at least all the critical updates installed. (Free at Microsoft Office Update).
Make your Internet Explorer more secure (some people are annoyed by the prompts they get after they've done this, so it's optional, however your computer will be less secure. As I use Firefox, tying IE down like this does not bother me, however if you use IE as your main browser you may want to trade off security for utility, your choice).
From within Internet Explorer click on Tools > Options > Security > Internet > Custom Level.
Make sure these options are set as follows:
Download signed ActiveX controls to Prompt
Download unsigned ActiveX controls to Disable
Initialize and script ActiveX controls not marked as safe to Disable
Installation of desktop items to Prompt
Launching programs and files in an IFRAME to Prompt
Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Press the Apply button and then the OK to exit the Internet Properties page.
The following are free programs that are designed to keep your computer clean. A brief description is included with each item, click on name to go to download site.
Adaware SE Personal (http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10319876.html?tag=lst-0-1)
Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial (http://www.bleepingcomputer.com/forums/index.php?showtutorial=48)
Spybot S & D (http://www.download.com/Spybot-Search-Destroy/3000-8022-10122137.html?part=dl-spybot&subj=dl&tag=but)
Spybot is a scanner like Adaware. It scans for spyware and other malicious programs. It is important to have both Adaware and Spybot on your computer because each program provides unique detection and protection measures. Spybot has preventitive tools that stop programs from even installing on your computer.
To see how to set this up as well as more spybot features, see here (http://www.bleepingcomputer.com/forums/index.php?showtutorial=43)
SpywareBlaster (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes "kill bits" in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
IE Spyad (http://www.spywarewarrior.com/uiuc/resource.htm)
It puts many bad webpages on your restricted zones LIST. This means that you can still view the "bad" webpages, but the webpages can't do certain things (such as use javascripts and cookies). Use IE Spyad for single account computers, and IE Spyad 2 for multi account computers.
Hosts file: (http://www.mvps.org/winhelp2002/hosts.htm)
Every version of windows has a hosts file as part of them.
In a very basic sense, they are used to locate webpages.
We can customize a hosts file so that it blocks certain webpages.
However, it can slow down certain computers.
This is why using a hosts file is optional!!
Make sure you read the instructions on how to install the hosts file, here (http://www.mvps.org/winhelp2002/hosts2.htm).
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen)
Click run In the dialog box, type services.msc
hit enter, then locate dns client
Highlight it, then double-click it.
On the dropdown box, change the setting from automatic to manual.
Click ok
Use an Anti Virus Software - It's very important that your computer has an anti-virus software running. This alone can save you a lot of trouble with malware in the future. See this link for a LISTing of some, on line & their stand-alone anti virus programs:
Computer Safety On line - LIST of free Anti virus programs (http://www.freebyte.com/antivirus/#scanners)
Use a Firewall - I cannot stress enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
See here (http://www.freebyte.com/antivirus/#firewalls) to choose one.
Site Advisor (http://www.siteadvisor.com/) This is a utility that can be downloaded and installed. It loads an icon to the taskbar of your browser (versions for IE and Firefox), indicating the trustworthiness of the site you are on. Green for safe, Red for suspicious. Click on the icon to access details that SiteAdvisor has about the site. It also marks entries when you're doing a Google search, and I personally find this the most useful feature as it allows you to judge how safe a site is before you visit it. Despite the fact that it's now owned by McAfee, I highly recommend it.
Just a final reminder for you.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Run Spybot and Adaware regularly. (Once a week minimum)
It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure you always have the latest security updates installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Gary
Gary you are an absolute star! Thank you so much for all the time and effort you have spent over the past week helping me out with my computer. I can't tell you how much I appreciate it. You explained everything so clearly and everything worked just like you said it would. And you did it all in such a way that never once did I feel like I was being spoken down to. Hats off to you Gary!
To update you on what I have done so far: OK, deleted those files that you said I should, and took the time to delete another 1 gig or so of stuff that I didn't need or want anymore, defragmented my hard drive and ran another AVG scan. All clean!
You won't believe this but when I went to switch off System Restore, I found that it had been switched off already. I don't think I ever had it on. It was probably like that when I bought it because I would never have switched it off in the first place. Anyway it is on now.
I went to update Windows but I had done that recently so there was nothing to update.
I am downloading the lastest version of IE at the moment and will install immediately.
I also plan to download that Adaware Programme. I already have Spybot.
My AVG Antivirus is set to scan everyday. Perhaps that is a bit excessive. My Norton used to scan once a week. I will see how it goes. It doesn't seem to slow the computer down as much as Norton did.
All in all everything seems to be going a lot better now than a week ago. Ultimately I need a new computer but, to be honest, can't afford it right now so I got a bit panicky when this one seemed to be giving up the ghost. Thank you so much for rescuing it!
Will keep you posted if there are any further developments.
Sincerely and extremely gratefully
Syd
chrishoggy 02-10-2007, 04:17 AM Scanning every day isn't excessive at all, in fact I would say it's the norm :)
Gary has said all the rest, as he is the malware/spyware Guru :) :rainbow: :hat:
Might also be worth spending a few $ on a data recovery/restore program such as
Acronis
http://www.acronis.com/homecomputing/products/
Or
RestoreIT (Gary, stop laughing :lmao: )
http://www.farstone.com/software/restoreit.htm
These can give you the option of restoring all your system and personal files back to just before a problem started.
Gary Richardson 02-10-2007, 09:28 AM Hi Syd,
Glad everything seems to be working fine, happy to help where I can.
As Chris has said, a good backup strategy is always a very good idea. (Just hope that mentioning RestoreIt doesn't start another round of discussions with our absent friend :D ).
Keep safe, any problems let me know.
1STLITE 02-12-2007, 10:29 AM Hey, ya'll!! Popular thread here, huh? lol
Well, I solved my issues - got a new computer!! yaaay! I am just in awe at this wonderful new device! I worked for so long with that pos, restarting over and over and over just to be able to keep working - sooooo slow. I am sure this one is no speed demon compared to alot of folks' setups, but it sure is nice to me!!! To think I can edit, listen to music, chat and browse at the same freaking time is just AWESOME to me!!! My head is spinning, seriously!
Gary, I need your help one more time, if I may bother you. It will probably be a couple days til I can get it done, but I wonder if you mind checking over a HJT log for me, to let me know what I can safely disable in the startup. I had that other one pretty clean, yes, but this is different for me and I only knew what I was doing on the other because I looked up every little tiny thing about it, spent hours and hours - don't have that kind of time on my hands currently, though. Plus this has XP MCE (it was cheap), and I am clueless what some of this stuff is. Let me know if you can do this for me in a couple days, pretty please? I appreciate you SO much!
Have a Great Day, everyone!
Dawn
Gary Richardson 02-12-2007, 11:43 AM No problem Dawn, just post it when you're ready.
Send me a PM with a link to the post so I don't miss it.
| |