# Solved: New Log on viruses....



## Roe727 (Mar 9, 2004)

Here's that log...


----------



## Mosaic1 (Aug 17, 2001)

Thanks. I asked the Mods to close the other Thread. I'll be back in a while after I read this.


----------



## Mosaic1 (Aug 17, 2001)

Sometimes Norton can give you a false positive. I am still reading, but see no mention of dell.dll being loaded.

This computer looks to be a dell. You say it is a protected system file.

Have a look in this folder:
System32\dllcache

See if you find the files in question. Let me know.

Can you copy them?


----------



## Roe727 (Mar 9, 2004)

It is a dell. But there is no system32/dellcache, but I did find a dellsys.dll, which I couldn't open, it says it is an application extension....no luck there.

THe other files (dell.dll and designer.dll), no I can't copy it won't let me.

Have to scoot out with the hubby for a bit....I'll check this later, probalby won't be doing too much more tonight though, busy night.


Thanks.


----------



## ~Candy~ (Jan 27, 2001)

Hubby???? 

I had you pegged for a him 


Lol....sorry about that


----------



## Mosaic1 (Aug 17, 2001)

Ok. Let's call it a night. We can start again tomorrow. Mornings are usually not good for me though. Afternoons are best. I'll post a file or two for you later. You can pick up the instructions in the AM and I'll be there later to follow up. 

If you have a dell, you may have a hidden partition with the backup files. Also dllcache is a hidden folder. So make sure you have hidden folders set to show. I think we did that already.

You can try a search for
dell.dll and designer.dll
See if they show up anywhere else.



I am in the US . Eastern Standard Time.


----------



## Mosaic1 (Aug 17, 2001)

Also, I followed the link you gave me. But this is the wrong forum. I'll ask a Mod to move it back to Security.


----------



## ~Candy~ (Jan 27, 2001)

http://forums.techguy.org/t326954.html

Here's the old thread, I was merging an unrelated thread earlier and messed up the merge 

Sorry about that guys


----------



## Mosaic1 (Aug 17, 2001)

Candy,

LOL It happens. Thanks for the link.

Roe,
Here we go with more directions.

I am attaching a zip file. Extract the reg file it contains. Its name is Leave.reg

Double click on leave.reg and say yes to the confirmation boxes when they appear.

Also, go back and find roe.reg again. Double click on that file too. I want to be sure it enters. The problem with regedit earlier may have interfered.

Let's clean up her uninstall key to remove extras from the Add Remove Programs list.

I need to see a registry key to do that.

Go to Start >Run and type regedit.

Press enter.
Navigate to:
*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall*

Right click on uninstall and select Export. Save to the desktop.

Right click on the saved reg file and select Send to >Compressed.

This will create a new compressed file. Attach that file to your next reply. I'll use it to create a removal for the orphans.

Are you able to transfer files to her machine? Using the CD Drive for example.

Let me know how everything goes.


----------



## Mosaic1 (Aug 17, 2001)

That folder you wanted was not dellcache.

It was dllcache. I just noticed your post.

Look for a Folder in system32 named
DLLCACHE

See if it contains dell.dll and designer.dll

In fact here's a trick

Go to Start > Run
Paste in the following and press enter.
*Explorer.exe /n,/e,/select, C:\windows\system32\dllcache*

This will open a Windows Explorer window with the folder dllcache highlighted in the right pane.


----------



## Roe727 (Mar 9, 2004)

Actually I knew that it was system32\dllcache. That file wasn't there and since I was in the "d's"....I just happened to see those other ones...lol

Yes Candy...I'm a 41 y/o female...married almost 20 years, 2 teenagers and watch 7 children on a daily basis....but still sane...imagine that, lmao. Although when that thread disappeared, I was beginning to wonder and it was just YOU.....thanks for letting us have the link back. 

Back to the computer here, we did already set to show the hidden files. I searched for the dell.dll and designer.dll files and the only place they are is in the C:\Program Files\Common Files...humm

I'm in Eastern Standard Time also....and afternoons are good, naptime. 

Sorry about putting it in the wrong forum.

I'll work on the other things and post when I'm done, either tonight or tomorrow morning. Have a great night.


----------



## Roe727 (Mar 9, 2004)

Sorry...the leave.reg didn't work, I downloaded it from the link and then doubleclicked and it said...Registry Editor...Are you sure you want to add the information to the registry, I clicked Yes and then I get another screen that says: Cannot export A:leave.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor. Let me know what to do with this.

I clicked on the roe.reg again and took care of that.

Talk to you soon.


----------



## Mosaic1 (Aug 17, 2001)

Let me check it and I'll upload a new one. Watch for one more post.

Also, delete C:\WINDOWS\SYSTEM32\*DOOLSAV.DAT*
When you ran the l2mfix you have a ton of problems interfering. But you do have a lot of leftover files I would like it clear up.

On your desktop, rename the l2mfix folder as oldl2mfix
Find l2mfix.exe and double click on it. It will create a new l2mfix folder on the desktop.

Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter

Post the contents of the file which will open in notepad when it finishes.


----------



## Mosaic1 (Aug 17, 2001)

Let's try the registry again. Download the zip and extract the reg file. Be sure you extract the registry file first.

It is named againleave.reg

Double click on againleave.reg to enter into the registry. Say yes to the confirmation box.



Can you right click on dell.dll and choose send to Compressed? This would create a comressed copy of the file. Would it be possible to copy that compressed file to your computer in its compressed form using a CD burner and email it to me?

Katie_3232 @hotmail.com

I added a space to the email address. If you remove it, the address will work.

If so, try the other file, designer.dll too. If no joy, we may have to blindly remove the files using recovery Console. Do you have the install CD for this computer? I mean a regular Windows XP CD and not a recovery CD.


----------



## Mosaic1 (Aug 17, 2001)

> Cannot export A:leave.reg


I take it you tried to import from a floppy? Be sure to copy the file to the hard drive and then doulbe click on it. There was nothing wrong with that file. Must have been a glitch. Says Export, not import.


----------



## Roe727 (Mar 9, 2004)

I am attaching the Current Version Uninstall file that you needed.

Yes I can transfer to her machine, I have been using floppies all along to transfer to AND from her machine to you, since she is not online and wont be until it is cleared up.

I tried the trick to find the dllcache file, but it is not there. It is only in Program Files/common files along with the other onedesigner.dll

I deleted C:windows\system32\Doolsav.dat.

I ran another l2mfix report and that is attached also.

I downloaded againleave and it successfully was added.

When I right click on Dell.dll and choose to send it to compressed files a compressed folders error comes up that says File not found or no read permission

I got ahold of the reinstallation disc.it says operating system, reinstallation CD, Microsoft Windows XP Home edition, including service pack 1.


----------



## Mosaic1 (Aug 17, 2001)

I juist got here and am reading. I'll post shortly.

I am thinking this is an NTFS (That's your file system) permissions issue.

Have a look at this article and see if you can take ownership of these files.
http://support.microsoft.com/?kbid=308421

If you succeed, then see about a zip. I hate to do something without being 100% certain.

Also make a quick note to have all passwords and any other sensitive information changed. I think one of the password stealing AIM viruses may have been included in the infections we removed.


----------



## Mosaic1 (Aug 17, 2001)

Your VX2 infection has not been active for a while. I see leftover files from other infections too. I see some files I had thought were already removed still listed. 

I want you to finish with the take Ownership first. If possible I would really like to see those files. 

When we have settled that, 
then I would like to have you run the second part of the l2mfix again and restart. 
Run l2mfix.bat Select #2 and press enter. 

That will restart you. It will clean up the one thing (again a leftover)still there. And I have a question about the ownership on a certain registry key. It resets it and if part two didn't run to completion, that may not have been reset back again. You are clear, but I want to get those nasty orphaned leftovers.

I will have to go over that file list too and then I'll let you know what else to delete after we have finished these steps. Again, these do not look to be running, but they are leftovers. 

Allow it time when it gets back into windows. If you get upset again, remember that last time you had a lot of junk interfering and I believe that some of the files the fix was supposed to create in part one were not there. BUT if after a long time you want to end it. Press CTRL + ALT + DEL and click the processes tab. Find cmd, right click on it and End Task. 

If you see ntdvm on the list, end task on that too.

And if you see string.exe end that one as well.

But do give it a lot of time before you terminate. 




Then post the results.


----------



## Mosaic1 (Aug 17, 2001)

BTW I have to say you are doing great work. Thanks for the concise answers. Whoever owns this computer owes you a very large debt of gratitude.


----------



## Roe727 (Mar 9, 2004)

Thank you, I've always had somewhat of a knack for computers, started to go to school for it way back, but then had kids and you know...the rest is history.

Anyway, I looked over the ownership article...which files do you want me to try this on (the dell.dll and designer.dll?) and what is the reason for doing this? Because we can't access those files the normal way??


----------



## Roe727 (Mar 9, 2004)

Also....do you want me to run the l2mfix in safe mode while I'm there or start in normal and run it and restart?


----------



## Mosaic1 (Aug 17, 2001)

You;re welcome. This computer, or should I say the infectoins have fought each step. But in fact, the VX2 the actual removal was successful in spite of appearances. 

Absolutely correct. dell.dll and designer.dll may have special permissions. NTFS allows that. It said possibly no read permission, so let's see if you can change that.

My concern is that we ran StartDreck and these didn't show as being loaded. But were they and invisible to the program. We'll see what can be done to gain access. Good luck.


----------



## Mosaic1 (Aug 17, 2001)

You can do it in normal mode. There shouldn't be anything running trying to interfere.


----------



## Roe727 (Mar 9, 2004)

After I get to the owner tab and click on administrator to take ownership, it highlights it and then what do I do....do I click apply and ok...because there is nothing there, as in the instructions, that says replace owner on object?? 
What is your thought on this?


----------



## Mosaic1 (Aug 17, 2001)

I have FAT32 and so can only guess. Try clicking the Apply and ok and see what happens.


----------



## Roe727 (Mar 9, 2004)

Here ya go....

I've removed them.


----------



## Mosaic1 (Aug 17, 2001)

Wow Great! Thanks. Would you go back and now edit to remove the attchments please? I have them and if they are nasties it is safer not to have them here for download.

I'll look at them. BRB


----------



## Mosaic1 (Aug 17, 2001)

Good. I sent up for an online scan and they are for sure nasties. Go ahead and delete them. After that, I think you can run the fix and reboot. I'll be here.


----------



## Roe727 (Mar 9, 2004)

They won't delete....should I try killbox.exe and reboot to see if they are gone? And then AFTER they are gone run the l2mfix.bat?


----------



## Roe727 (Mar 9, 2004)

What are you talking about when you say you have a question about the ownership on a certain registry key.....whether it is a 'nasty'....lol ??


----------



## Mosaic1 (Aug 17, 2001)

Go ahead and try that. What kind of error do you get when you try to delete?


----------



## Roe727 (Mar 9, 2004)

The Error says :Cannot delete Dell: Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use. Maybe that is the problem .... maybe it is "in use" somewhere....I thought maybe killbox might work, since you have had me use that before, but you know I think we tried it before. What do you think, maybe try in safe mode????


----------



## Mosaic1 (Aug 17, 2001)

The key is one Windows uses. the nasty writes to it repeately adding a subkey of its own which runs and continues to make changes and rewrites itself if removed. So that makes this infectoin too hard to remove. Now the fix takes away permission from everyone to write to the key and its subkeys. That is waht really allows the uninstall of this VX2. Part two as a matter of cleanup releases that and allows programs to write, delete, create new keys again. That is important because many legitimate Programs write to the key. I want you to run Part two so that it can undo the permission denial in the event that was not done. Part of Part two did run originally. And also fix another one or two registry entries.


----------



## Mosaic1 (Aug 17, 2001)

Go ahead into Safe mode and see if dell.dll will delete. Add designer.dll to that list too. If not, we have another tool to try. But it will only unload one dll unless you pay for the utility. I take it you cannot delete designer.dll either?


----------



## Roe727 (Mar 9, 2004)

No, I can't and that one showed up out of nowhere, it wasn't there before. I'm going into safe mode to try to get rid of dell.dll and then I'll reboot and run part 2 of the l2mfix and send it to you.


----------



## Roe727 (Mar 9, 2004)

ok....now I went and used killbox on the dell.dll and it asked if I wanted to reboot, I hit yes and I get a box that says "PendingFileRenamOperations Registry Data has been Removed by External Process!...with an ok button to push....?????????


----------



## Mosaic1 (Aug 17, 2001)

Yup. Ww have something running and protecting itself. It prevents the Killbox from removing the file. Was this in Safe mode?


----------



## Roe727 (Mar 9, 2004)

Yes...and what next?? Do you still want me to run that scan?


----------



## Mosaic1 (Aug 17, 2001)

No. No scans. Let's try one more tool and after that we'll have to try recovery console.

Download Copylock from this link:
http://www.soft32.com/download_8644.html

Run CopyLock:

set up these options: 
-Check- 'Show Source paths' 
-Check: 'Allow Downgrade'

Click the 'Add' tab -> 'Files to delete'

Select dell.dll and oress the Add Button in the dialog.
Back at the main Program Window:
Do the same for designer.dll

Press apply. Wait for results to display.


----------



## Mosaic1 (Aug 17, 2001)

After you finish with Copylock, let me know how that went.

Next. I am uploading another script in a zip.

Extract the vbs from the zip.
Look at the clock in systray. Wait for the minute to turn over.
Double click on Open Hijackthis with priv.vbs



This will run hijackthis after a wait of about a minute. Hijackthis will open and be running from the system acccount with elevated priviledges. It may see something it doesn't when it is run normally.
Run it and create a log. Post that log. Leave this copy of HT open. We may want to use it. 

Again, this is a script and Norton will warn. Please allow it to run. I wrote it and its sole purpose is to let us use HT with elevated priviledges.


----------



## Roe727 (Mar 9, 2004)

Ok...Did that and it said "2 files were successfully processed". Went in to see if they were there and they are GONE.....WOOOOHOOOO...but now, should I reboot and see if they are still gone. I'm still in safe mode at the moment.


----------



## Mosaic1 (Aug 17, 2001)

Yes. Go back to regular windows. But first go to start>Run and type
%temp%
Press enter

Select all files and delete.

Then run that script to start Hijackthis in System Mode.

I am researchiing that other trojan you just removed. It was a downloader and so I really want to be clear before you hook up again.

Also empty the recycle bin.

I bet the Norton definitions are not up to date. But I don't care. Run a full Av Scan after you post the hijackthis log. See if it picks up anything else. It will in the System Restore But that's normal and will be dealt with later. The nasty files aren't running from system restore and AV cannot remove files from that location.


----------



## Mosaic1 (Aug 17, 2001)

BTW Great call. Without that piece of information from you about the Norton Warning we would never have had a clue about that Trojan being there.


----------



## Roe727 (Mar 9, 2004)

I extracted the file and ran it and the log is below.

Emptied the recycling bin.designer.dll and dell.dll were there.

You want me to run Norton now?? That will take quite awhile so I dont know if I will have the results tonight or not. Let me know.

Logfile of HijackThis v1.99.0
Scan saved at 4:24:49 PM, on 2/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\DOCUME~1\SUSANZ~1\Desktop\HIJACK~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-6.0.1.20/squelchies/squelchies-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet/peaks/peaks-ob-assets.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr_ext.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.e


----------



## Roe727 (Mar 9, 2004)

I just realized something, she has 2 recycling bins set up...a norton protected one and a regular one. I enptied the regular one and the protected one says, "There are 1,500 protected files total on drive C. You have 1,087 protected files on drive C. Options on this are Purge Yours, Purge All and Cancel....What do I do with that??


----------



## Mosaic1 (Aug 17, 2001)

I would purge them.

The research I did on how this last trojan loads tells me we are missing an entry I want to see.


We'll dig into this more later. In the meatime, please run Norton. You must be about ready to take a break and do some other things. Let it run and let me know what it finds. 

I'll be around later and will post a script or two we can use to look at a few more things. You still have a lot of leftover files I saw in your other reports. Some of which we will remove too. We are getting there. I haven't forgotten about the l2mfix and the uninstall key either.


----------



## Roe727 (Mar 9, 2004)

Ok...sounds good to me. I'm starting Norton now....I'll let you know.
Thanks.


----------



## Roe727 (Mar 9, 2004)

Ok..here's the update...That didn't take nearly as long as I thought it would.
Norton found 5 infected files and the repair failed on all of them. Here's the list:
Blues123.dll, CENTHELP.dll, crashInfo.dll, Hamsterball.dll and patchw32n.dll, they are all Trojan Horses.


----------



## Roe727 (Mar 9, 2004)

Oops sorry....do you want me to quarantine them??


----------



## Mosaic1 (Aug 17, 2001)

Where are they located?


----------



## Mosaic1 (Aug 17, 2001)

Download Stinger and run that. It's a McAffee tool. It will fit on floppy.
http://vil.nai.com/vil/stinger/

Let's see if there are any other things Norton missed. And there could still be more.


----------



## Roe727 (Mar 9, 2004)

Went to search, typed them in and here is the answer to that
Blues123.dll is in C:\hegames\Blues123maybe I can delete that from add/remove as it part of a game file??
Centhelp.dll is in C:\Program Files\Norton SystemWorks\Norton\Centhelp.dll
Crashinfo.dll is in C:\Program Files\Gamehouse\Feeding Frenzy\crashinfo.dll 
Hamsterball.dll is located in C:\Programs\Gamehouse
And
Patchw32n.dll is located in C:\Program Files\Electronic Arts\Network Play\patchw32n.dll

I'm going to run stinger now.

I still have the Norton up and need to know whether to quarantine and I still have the HiJackThis Log.


----------



## Mosaic1 (Aug 17, 2001)

Go ahead and quarantine for now. I am looking in the Add Remove progrmas uninstall key you sent. It is long. You can uninstall some games if you like. Who konws, those files may be update downloaders and not malware. I don't know. I hope the uninstallers are legitimate though. 

Let me know which ones you do.


----------



## Mosaic1 (Aug 17, 2001)

Go ahead and close Hijackthis. We won't be using it again for a while. I am going to have to write some files to get the information we need.

After you run Stinger, let me know.

Hopefully before we finish for the night you'll be able to run part2 of the l2mfix.


----------



## Roe727 (Mar 9, 2004)

This is weird, I downloaded stinger and the tried to run it, but the floppy drive was just making all kinds of noise and then the computer icons disappeared and then the hijackthis notepad that I had minimized appeared on the desktop, but the other hijackthis log disappeared, but the Norton log is still here and wait....the stinger.exe icon just changed it came up...I'm scanning now..


----------



## Mosaic1 (Aug 17, 2001)

Sounds like you had a windows explorer crash. It happens. I would not run anything from the floppy drive. Put Stinger on the hard drive. Have a second look at the directions opn the download page:
http://vil.nai.com/vil/stinger/


----------



## Roe727 (Mar 9, 2004)

Sounds good....the hubby wants to go out for a bit soon, so I may have to take a break, but I'm running Stinger and we'll see what happens here. I'll quarantine the files. I'm deleting Rescue Heroes Hurrican Havoc, Rescue Heroes Lava Landslide, Rescue Heroes Tremor Trouble, Rescue Heros Mission Select, The Sims Livin' Large, Blue's 123 Time Activities...I checked with her, these are all games. What is WildArcade and While you Surf on the Add/Remove programs??


----------



## Roe727 (Mar 9, 2004)

So you want me now to start saving things to transfer on to the computer onto CD's and not floppies??


----------



## Mosaic1 (Aug 17, 2001)

Floppies are ok. Just transfer to the Hard Drive before you run the files. You seem to have a problem at times running from floppy. If the files are too big, then CD.

I'll let you know what's next. Leave Wild Arcade alone.

Have a look here for the reasons: You are lucky not to be on the internet.
http://www.trendmicro.com/vinfo/grayware/graywareDetails.asp?SNAME=ADW_OVERPRO.A

I'll have to look at the registry file to find more on While you surf. It could be a few things.


----------



## Mosaic1 (Aug 17, 2001)

We stopped While You surf from running. That was wys.exe

It is another ad spawning, downloading nasty.

According to the data, the entry in Add Remove Programs will uninstall it properly. And some of the leftovers in system32 are files left by this.

Go ahead and use the Add Remove Programs entry for it to uninstall.


----------



## Roe727 (Mar 9, 2004)

ok...I'm not really sure why we are leaving the wild arcade after looking at that link, but I trust you. I'm going out for a bit, I'll check the log when I get back. All the games were deleted, I have to go...be back later.


----------



## Mosaic1 (Aug 17, 2001)

We are leaving it because the uninstaller they gave you to run in Add Remove Programs is not a real uninstaller. It runs a trojan. You are not connected to the internet and have already had and removed some of the infections it dowloads and installs. But why set it up to run again?

Information on the trojan the so called uninstaller runs.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_STILEN.A

Uninstalls are not written by Microsoft,they are written by the programmers of the program you want to uninstall. They are often booby trapped and can reinstall both themselves and other nasty Trojan Downloaders and Spyware, adware etc.

These people are not to be trusted.


----------



## Roe727 (Mar 9, 2004)

Looks like the stinger came up clean, the blue123.dll is gone with the game file. Deleted While You Surf.


----------



## Mosaic1 (Aug 17, 2001)

Good. I am working on some research for you. In the meantime are you up to running part 2 of the l2mfix?


----------



## Mosaic1 (Aug 17, 2001)

I am attaching a zip file containing a reg file to clean up the Add Remove Programs uninstalls list.

Extract cleanup uninstalls.reg and double click on it to run. Say yes when prompted.


----------



## Roe727 (Mar 9, 2004)

I'm running l2mfix now.


----------



## Roe727 (Mar 9, 2004)

l2mfix is attached.


----------



## Roe727 (Mar 9, 2004)

I ran the cleanup uninstall also.


----------



## Roe727 (Mar 9, 2004)

I understand what you said about Wild Arcade, but what happens if someone goes and uses the add/remove and tries to remove it? Because then they wouldn't know they were doing anything wrong and it would create a problem with the machine again. Correct??


----------



## Mosaic1 (Aug 17, 2001)

That won't happen. the cleanup uninstalls reg file removed any extra entries like that one from Add Remove Programs. Also we will check tomorrow for any extra folders and files mentioned in the uninstalls we removed.

In the meantime you are looking so great.

But I remember a long list of files in the first report which still may be there. Orphaned, but still in need of removal.

Could you run part 1 of l2mfix again and post the results please? 

We are getting closer. Are you going to be able to get on the internet in a day or two? Or will you have to take the computer back to the owner to get on the net. I will need to follow up with a few details after the Computer is connected. 


Tomorrow I hope to explore a few more details of the invisible registry entries added by dell.dll and remove those along with file leftovers and get the computer some protection too.


----------



## Mosaic1 (Aug 17, 2001)

Again. These are all details and orphans. So far as I can tell, the computer is clear of active infection. But not out of danger until we clean up and protect.


----------



## Roe727 (Mar 9, 2004)

I have run part 1 of l2mfix and attached it. As far as the internet goes, the only way for me to be on there, I think, is to connect it to my line. I might be able to do that, otherwise I have to bring it back over to her house and that is alot harder for me to work on. Let me think about the best way to go about this and I'll let you know. How much longer do you think we have or is that too hard to tell? My nights this week are tied up, but I should be able to be on in the afternoons, up till about 4ish. I'm not rushing it, I'm just wondering, I know we had quite a mess here. Thanks again.


----------



## Roe727 (Mar 9, 2004)

Here's that l2mfix report...I forgot to attach it..lol


----------



## Roe727 (Mar 9, 2004)

Kaite...what about those other 4 files that Norton came up with? (Deleting that Blues Clues game took care of the one.)


----------



## Mosaic1 (Aug 17, 2001)

I just got here. I'll read and get back to you. I am hoping not too much more time. But you did have invsible entries in the registry I need to find and clean. Plus dell.dll didn't show as being loaded when you used StartDreck. So I really want to be careful here. There are orphaned files leftover to delete as best we can. Believe me when I tell you that Ad-Aware and Norton don't get anywhere near everything. And I want to check out files on any other User's profiles if there are any. So probably a couple of days here. And there are a few other things we can do before we launch the Internet.


----------



## Mosaic1 (Aug 17, 2001)

Are they in quarantine? See if you can delete them now.


----------



## Mosaic1 (Aug 17, 2001)

I don't understand why some of these files we have tried to delete before are still there unless dell.dll was blocking the deletions.

I created a batch file last night to delete some of them and make a record. There will be more to delete, but let's work with what I have already done so you are not just sitting there waiting.

Download the zip file and extract the bat it contains to its own folder.

Double click on files to delete.bat

It will open a command window. You don;t ahve to do anything else. When it finfishes it will open a Notepad file named Deletions.txt

Copy and paste the contents of deletions text in your next reply here. I am hoping it will be empty. That will mane it found and deleted the files. But I will also then have you go into system 32 and triple check to be sure they are gone.


----------



## Roe727 (Mar 9, 2004)

I went to look for the first one and couldn't find it so I searched for it and still couldn't find it....could it be because of them being quarantined?? There seem to be other files with the beginning part, but not with the .dll extention.


----------



## Mosaic1 (Aug 17, 2001)

Yes. Quarantine means they have been moved somewhere. I don't use Norton. Open the Norton program and look around to see where Quarantine is located and if you can empty it.


----------



## Mosaic1 (Aug 17, 2001)

> There seem to be other files with the beginning part, but not with the .dll extention.


What are the names?


----------



## Roe727 (Mar 9, 2004)

ok, ran it, here it is:

File not found - MXDEX.DLL
Could Not Find C:\WINDOWS\SYSTEM32\MXDEX.DLL
File not found - LRCMP11n.DLL
Could Not Find C:\WINDOWS\SYSTEM32\LRCMP11n.DLL
File not found - you.txt
Could Not Find C:\WINDOWS\SYSTEM32\you.txt

Here are the names of those files. I'll look into the NOrton thing.
CENTHELP.dll, crashInfo.dll, Hamsterball.dll and patchw32n.dll, they are all Trojan Horses.


----------



## Roe727 (Mar 9, 2004)

If I delete them from quarantine, does that mean they are being deleted from the computer??


----------



## Roe727 (Mar 9, 2004)

There are the 5 in there that Norton found the other night and another 3...
mm20.ocx, listed twice in 2 different locations and updtsup3.exe.


----------



## Mosaic1 (Aug 17, 2001)

Yes it does.

What other locations please, what does Norton say.


----------



## Roe727 (Mar 9, 2004)

I deleted all of them...so hopefully they are really gone.


----------



## Roe727 (Mar 9, 2004)

Sorry, I already deleted them.

There is something else in Norton called Backup Items...there are 129..file names are saie1101.exe, unins000.dll, wrapper.exe, medload.exe, CDALoggerrf.dll, CDA.dll, and aimsgr.exe. There are alot of each...??? Any idea??


----------



## Mosaic1 (Aug 17, 2001)

Yes. Those are copies of removed files in the event something was removed accidentally which shouldn't have been. Run that batch while I get a tool ready for you. We have some digging to do and I have to write some files so I can see what I need to.


----------



## Roe727 (Mar 9, 2004)

Sorry Katie, but what batch...I already ran the deletions one it is in post 81.


----------



## Mosaic1 (Aug 17, 2001)

Sorry. I missed that. You.txt was a test filename I added to see what would happen last night. Good. It looks like the files were deleted.

I have a nice tool here. I want to check out a few things. It's another script. So tell Norton to back off. LOL
Create a new Folder and extract the vbs to it.
Double click on *Nested if's get atts.vbs* to run it.

An Input Box will appear. Type this and press enter:
C:\windows\system32

This is going to take a few minutes. Don't worry about that.

When it finishes it will have created and will open a file named Attribute.txt

That will be one huge file. So please attach it to your next reply. This si going to give me extended information on all non Microsoft dll's and exe's plus a few other file types in System32.


----------



## Roe727 (Mar 9, 2004)

ok. I'll post back as soon as it finishes.


----------



## Mosaic1 (Aug 17, 2001)

I am going to continue making files and sending them. Do them one at a time. I am just trying to get ahead a bit.

This is another zip. Extract the batch it contains to another folder.

Double click on *exportit.bat*

It will produce a binary file named odl.txt

odl.txt is going to look very odd. That's not a problem.

Don't try to copy and paste it. Instead attach it to a reply.


----------



## Roe727 (Mar 9, 2004)

Finished...I attached it.


----------



## Roe727 (Mar 9, 2004)

Here's the odl.txt.


----------



## Mosaic1 (Aug 17, 2001)

Now I am 100% sure this computer had one or more AIM Viruses.

Go here and download the aimfix. Run it. It will do some further clean up of registry entries and files.

http://www.jayloden.com/aimfix.htm


----------



## Roe727 (Mar 9, 2004)

Ok BOSS....lolI ran it. 

It deleted a file called C:\active.exe
editted the profiles and restored the internet explorer settings...


----------



## Roe727 (Mar 9, 2004)

Question. She has the AdAdware, Spybot and CW Shredder, what are your thoughts on us adding the spawareblaster and the spyware Guard? I have them on my computer and I was just wondering. Also...speaking of my computer....the only thing that seems to get through anytime I run AdAdware is Alexa...any way that I can block her...??I have upped my security settings so that is not the case, it is probably the Limewire I have, but my son is sooo into downloading music...I KNOW, I KNOW....bad idea, but until he leaves....lol...he needs somethings to do. He's 19.


----------



## Mosaic1 (Aug 17, 2001)

Give me five more minutes I am getting a list togerther of files to delete in system32.

While I am doing that, go here and read the post. You can probably fit on floppy and yes I think highly of both.

Follow the advice and get the free downloads to help avoid some of these problems in the future.
http://www.computercops.biz/postt7736.html


----------



## Mosaic1 (Aug 17, 2001)

I am attaching a plain text file with a long list of files to be removed from System32. I want these in the recycle bin for a day or two to be sure something needed wasn't deleted by accident. I am 100% sure on most, but in the event of a problem, or if you delete something accidentally, you will have the files. And do keep the list of what was removed too.

*** Be extra careful not to double click on any of the exe 's 

It's easy to do that. You don't want to wake up any sleeping tigers.


----------



## Mosaic1 (Aug 17, 2001)

I just saw your Alexa Question. That is just the Related Toolbar, a part of Internet Explorer. If you don't use it, it just sits there. There has been a long debate in the Spyware Community about the Related Toolbar. The real spyware is the actual Alexa Toolbar people install themselves.


----------



## Mosaic1 (Aug 17, 2001)

I just saw Limewire too. File Sharing is asking for worms.


----------



## Mosaic1 (Aug 17, 2001)

odl.txt didn't reveal any secrets. Dell.dll loaded somehow. But so far we have had nol luck tracking that down. The file is gone and so it should be ok. Let me know when you are all caught up.


----------



## Roe727 (Mar 9, 2004)

I deleted all the files except exul2.exe, pmldud.exe and svchost.dll which wouldn't delete...do you want me to try to delete them another way?

aimsgr.exe and winupdt.exe weren't listed. I searched for them using search and they didn't show up anywhere that way either.


----------



## Mosaic1 (Aug 17, 2001)

Here's something else to help me look at the Hard Drive and folders.
Download the attachment and extract the bat file to it's own folder. Double click on Get Folders.bat to run it.

It will run and produce a text file named PF.txt

If not too large, post the contents. Otherwise you may as well attach it.

I also want to try a registry search for Dell.dll

A long shot, but let's do it anyway.
Here's a very nice script to help you out. It will do the reg search for you.

Download it and run it. When it starts, you will be prompted to enter a search phrase. Search for Dell.dll

Do that and go have a cup of coffee.
When you get back, a message box will be there on the desktop. Say yes to open the results. Copy and paste the contents into a reply here. Once you close that file, it will be deleted, so please save it as delldll.txt. We may need it again.

Here's that link:
http://www.billsway.com/vbspage/
Find Registry Search Tool And download it.


----------



## Mosaic1 (Aug 17, 2001)

The two files you couldn't find likely were removed when you used the Aim tool and did another removal last night.

These three:
svhost.dll
exul2.exe
pmldud.exe


You typed svchost.dll but the file is listed as svhost.dll No c in there 


Right click and see if there is a file permissions problem.

And do you get access denied or any error?
EDIT: I'll be in and out for the next hour or so. I'm cooking dinner again.


----------



## Roe727 (Mar 9, 2004)

Ok...I've attached the Pf.txt file. And here is what the Dell report said:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "Dell.dll" 2/9/2005 4:32:52 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_USERS\S-1-5-21-2663407117-2301685778-4093279725-1006\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="dell.dll"


----------



## Roe727 (Mar 9, 2004)

I was getting an error message, but I just went in and tried them again, third time, anda they deleted.


----------



## Mosaic1 (Aug 17, 2001)

Yeah! Poor computer is really getting confused.

The Registry Search turned up nothing. That's a record of the time you searched for the file. I'll look at Pf.txt and get back in a while. I'm ruining dinner at the same time. LOL


----------



## Roe727 (Mar 9, 2004)

no problem..I'm going to take my son out driving...16 uugghh. I'll check back later.


----------



## Mosaic1 (Aug 17, 2001)

Ok I need you to run a command and post the results please.

Go to start >run and type 
cmd
Press enter

Right click in the command window and paste this in:
*Dir /B "C:\Documents and Settings" >Users.txt*

Press enter.

When it finishes, and takes yo to anoyter blinking comanbd prompt, type
Users.txt and press enter to open USers.txt

Paste the contents of Users.txt into your next replt here.

Your Windows and programs files are not looking good. A lot of nasty files are left to select for deletion again. It's going to take me some time to go over all of it.

Please go back to system32 and be sure all the deletions you performed earlier took.


----------



## Roe727 (Mar 9, 2004)

It is not working....originally when I bring up the box it says:
C:\Documents and Settings\Susan Zweig>

It will not let me go to the next line, so I pasted it next to it and it just repeats the 
C:\Documents and Settings\Susan Zweig>

and does nothing else.


----------



## Mosaic1 (Aug 17, 2001)

That is not correct.

Do this. Type in *cd ..* Press enter

then paste in this command at the next prompt
Dir /B "C:\Documents and Settings" >Users.txt

Then start USers.txt


----------



## Roe727 (Mar 9, 2004)

I rechecked the list and they are all in the recycling bin. Maybe we should have wiped this thing out and started over. I know, a little late to say that huh...lol


----------



## Roe727 (Mar 9, 2004)

Still doing the same thing.


----------



## Mosaic1 (Aug 17, 2001)

Ok this is why I have to take a break. that's what it is supposed to do. You forgot to type Users.txt at the next prompt to start USers.txt


----------



## Mosaic1 (Aug 17, 2001)

The fact it that we are cleaning out junk now so nobody presses an exe and reinfects the machine.

And I want to go into each User's Folder and clear out their Temp and Temporary Internet Folder too.


----------



## Roe727 (Mar 9, 2004)

Here's the users.txt...
Administrator
All Users
Jamie Zweig
Owner
Susan Zweig


SOrry if I confused you.


----------



## Mosaic1 (Aug 17, 2001)

Ok Let me write you a batch file. I had forgotten to change something in the other and it was lookling for the D Drive.

BRB


----------



## Mosaic1 (Aug 17, 2001)

We don't need this post now. You got the users list already. No need to run the attachment. Let's call it a night. I may be back later to add more instructions. But it's been a full day.


----------



## Roe727 (Mar 9, 2004)

Ok....I'll try to run it tonight, but I might have to callit a night.


----------



## Roe727 (Mar 9, 2004)

The same users came up that are in the above post. #116.


----------



## Roe727 (Mar 9, 2004)

I'll be here for a little longer if you want me to run anything else.


----------



## Mosaic1 (Aug 17, 2001)

Download this attachment.

Extract the batch file and run it. You may get 3 Message boxes about the results of unregistering files. Click yes. But if an error, then note it and let me know. 



When finished it will start a file with the results.
Copy and paste that here please. Hopefully it will be empty.


----------



## Mosaic1 (Aug 17, 2001)

Go to C:\Documents and Settings

Open each of these folders, one at a time:

Administrator
All Users
Jamie Zweig
Owner
------




In each Folder, open the Local Settings Folder.

Under Local Settings I want you to look at three different Folders.

Temp -- Open and select all files. Delete all files.
Temporary Internet -- Do the same


Application Data -- open up and make a list of all files contained in each user's Application data folder.


----------



## Roe727 (Mar 9, 2004)

This is what I'm getting: RegSvr32 box with this text: "Sskcwrd.dll " is not an executable file and no registration helper is registered for this file type.


----------



## Mosaic1 (Aug 17, 2001)

Ok Stop running it and just go to start>Run and type 
%Appdata%

Press enter.

When the folder opens, delete these files:

Sskcwrd.dll
Sskknwrd.dll
Sskuknwrd.dll
ttuh.exe
tvmknwrd.dll


----------



## Roe727 (Mar 9, 2004)

Ok...here goes:

Administrator..application folder: application History, Microsoft, iconcache.db, help, GDIPFONTCACHEV1.DAT.

All users application folder: AOL, BVRP SOFTWARE, Gtek, Microsoft, Oberon media, quicktime, softdisk LLC, Symantec, vmss, aol downloads, dell, mcafee.com, MSN6, pcsvc, SBSI, Spybot, search and destroy, Viewpoint, wsxs and mssaru.dat.

Jamie Zweig application folder: application data, desktop, Jamersons Documents, My recent documents, printhood, start menu, userdata, cookies, favotires, local settings, nethood, sendto, templates, windows, clear.reg, lo2.txt, ntuser.dat.log, ntuser.dat, test3.txt, test.txt, text5,txt, test2,txt.

Owner application folder: My documents

The only one that had temp and temporary internet was Administration folder.


----------



## Roe727 (Mar 9, 2004)

I deleted those files, but ttuh.exe wasn't there and couldn't be found by search either.


----------



## Mosaic1 (Aug 17, 2001)

You didn't follow the instructions for the User's folders.

Please have another look.


> In each Folder, open the Local Settings Folder.
> 
> Under Local Settings I want you to look at three different Folders.
> 
> ...


----------



## Roe727 (Mar 9, 2004)

The only one that had a local settings folder is the administrator.


----------



## Roe727 (Mar 9, 2004)

I'm going to need to call it a night soon and I know you could use a break as well.


----------



## Mosaic1 (Aug 17, 2001)

Delete from All users application folder: vmss, pcsvc, wsxs 

No Local Settings folder? That is odd. It is a hidden folder but is needed for the System to work correctly. The only thing I can think of is permissions or you have show hidden files turned off again in Folder Options. 

And until we get the information it will not be safe for them to sign on. BECAUSE if there are nasty files in there and their Current User Registry hive is set to start those files, then the computer will be reinfected as soon as they sign in. 

Are you signed in to an account with administrative priviledges?

Go to Control Panel >User Accounts

Doble click on it. If control panel is not in Classic view, look to the left and click to change to classic view. 

Open User Accounts.

Look at the name you are signed in under.

Does it say Computer Administrator underneath the name?


----------



## Mosaic1 (Aug 17, 2001)

?? Look again. I think we both need a break.



> Jamie Zweig application folder: application data, desktop, Jamersons Documents, My recent documents, printhood, start menu, userdata, cookies, favotires, local settings, nethood, sendto, templates, windows, clear.reg, lo2.txt, ntuser.dat.log, ntuser.dat, test3.txt, test.txt, text5,txt, test2,txt.


local settings is listed there.


----------



## Roe727 (Mar 9, 2004)

Oopss....sorry...Yes, I'm tired. Jamie Zweig: Application History, Help, Microsfoft, Dell, Identities, GDIPFONTCACHEV1.DAT, DCBC2A71-70D8-4DAN-EHR8(Configuration settings), IconCache.db

I sign in under Susan Zweig and yes she has COmputer Administrator under her name.

I think I need to call it a night, I'm sorry, but I'm tired and I don't want to make any mistakes here.


----------



## Roe727 (Mar 9, 2004)

I checked the folder options and show hidden files and folders is checked.


----------



## Mosaic1 (Aug 17, 2001)

That's ok. I confess to being too tired too. We'll pick it up tomorrow. Good night. Get some rest.


----------



## Roe727 (Mar 9, 2004)

Thanks u2...


----------



## Mosaic1 (Aug 17, 2001)

zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz Thanks


----------



## Roe727 (Mar 9, 2004)

Ok..I went back and looked at the users again:

Administratorwent in and made sure the temp and temporary internet files were deleted and opened the application data folder and found: application history, Microsoft, help GDIPFONTCACHEV1.dat.

All Users.there is no local settings folder, temp or temporary internet folders. Opened the application data folder and found: AOL, BVRP SOFTWARE, Gtek, Microsoft, Oberon media, quicktime, softdisk LLC, Symantec, aol downloads, dell, mcafee.com, MSN6, SBSI, Spybot, search and destroy, Viewpoint, and mssaru.dat. And remember that pcsvc, wsxs and vmss you had me delete, so they are gone.

Jamie Zweigwent in and made sure that them temp and temporary internet files were deleted and opened the application data folder and found: Application History, Help, Microsfoft, Dell, Identities, GDIPFONTCACHEV1.DAT, DCBC2A71-70D8-4DAN-EHR8(Configuration settings), IconCache.db

Ownerthe only file in here is My documents.

So Jamie Zweig and Administrator were the only ones with Local Settings.

And Im not sure why you didnt have me go into Susan Zweig?? But Im going to list what is in there, because there is a problem there.
Application Data folder: Application History, Dell, Identities, Oberon Media, BVRP Software, Help Microsoft, Wildtangent, dcbc2a71-70d8-4dan-ehr8 (configuration settings), Iconcache.db, GDIPFONTCACHEV1.DAT.

In the Wildtangent folder there is Cdacache.
In her temp file there is a file named perflib_Perfdata_e8.dat that it will not let me delete, comes up with an error message that says: Cannot delete Perflib_Perfdata_e8: It is being used by another person or program. Close any programs that might be using eht file and try again.
Emptied the temporary internet files.


----------



## Roe727 (Mar 9, 2004)

I am only signing in under Susan Zweig when I sign in, except in safe mode where I have to sign in as Administrator.

FYI: When it boots in normal mode there are 2 options: Susan Zweig and Jamerson (I think that is the name)and in safe mode Administrator and Jamerson (I think that is the name)


----------



## Roe727 (Mar 9, 2004)

Also...remember that there are 2 application data folders ... one when you clilck on the name...for example Administrator...one in the initial folder and one in the local settings...the users that had local settings, I'm giving you the application data from the local settings folder...does that make sense. The users that don't have local settings, I'm giving you the information from the application data folder that initially shows up...(not in the local settings folder).


----------



## Roe727 (Mar 9, 2004)

The owner is in no rush to get the computer back, just asap.


----------



## Mosaic1 (Aug 17, 2001)

Susan Zweig is the curtrent identity and that was for later. 

Basicaly I wnated to clean out the other identities. It's normalk not to be able to clear some files in the Temp folder, they are often crated by programs in use. A reboot and not starting anything usually will clear those. perflib_Perfdata_e8.dat is one which will not go away. That's ok. You can delete the Wild Tangent Folder. I hope they are not going to use WildTangent any longer. 

Right now I am going over the Program files and Windows Folder. There is a lot in there and it is honestly going to take some concentration and research to try and assess the situation. 

I'll post with more as I get it.


----------



## Roe727 (Mar 9, 2004)

I just went in the the control panel, users accounts and realized that both Susan Zweig AND Jamerson are listed as computer administrator under their name???


----------



## Mosaic1 (Aug 17, 2001)

That's fine. They both have accounts with administrative priviledges. There are differnt types of accounts. There can be many accounts on a given computer. I'll get back when I have something.


----------



## Mosaic1 (Aug 17, 2001)

Ok Here's a long list of files and folders to remove. 

C:\Program Files
Remove these folders:

Alset
Altnet
AWS
CursonZone
CxtPls
NaviSearch
Power Scan
PowerSearch
SEARCH3 TOOLBAR
wildmedia
Lycos




===================
C:\Windows
Remove these files and Folders


bsx32 --Folder
bundles --Folder
iClearSearch -- Folder
EliteSideBar -- Folder
EliteToolBar -- Folder
eSearchBar -- Folder
iOneEighty -- Folder
Lycos -- Folder
winskw -- Folder

AdRoar.dll
alchem.ini
ARUpdate.exe
bbi8024_MEDIAMOTOR.exe
Belt.ini
EDow_AS2.exe
eeeeddd.exe
ei25.exe
gcncea.dll
Helper101.dll 
launchurl.exe
lycos.exe
MediaMotor25.exe
medload.exe
mm15201518.Stub.exe mm21.ocx
mm62.ocx
mmups.exe
mmwork.exe
neti.dll
newpop62.exe
nwxa.dll
optimize.exe
optimize2.exe
sideb.exe
ssqb.exe
SStb.exe
suploads.exe
wast2.exe
woinstall.exe
zeta.exe
-------------

When you have finished, remember that script(vbs) I sent to look at the system32 folder? It created attribute.txt. Run it again. First rename attribute.txt to system32.txt.

When the Input box appears, Type
C:\windows

Ther are just a few files I have a question about. Attach the results please. 


Ther are always going to be leftovers. ini files etc. I am trying to get rid of installers, exe's ocx's and dlls. 

The registry is going to have a lot of leftovers too. But hopefully, nothing to create problems. We are getting there.


----------



## Mosaic1 (Aug 17, 2001)

When you have finished with those tasks, please go to C:\windows\temp and delete the contents. 

Is it possible for you to sign in as the other identities? If so, one at a time I want you to do that and then run Hijackthis. We need to see what if anything they show.


----------



## Roe727 (Mar 9, 2004)

I deleted all those files, but I can't seem to find the attribute file, can you send me it again or tell me what post it was in and I can re-download it.


----------



## Mosaic1 (Aug 17, 2001)

Do a search for attribute.txt

Then right click on attribute.txt in the result pane and click on "open containing folder" 

That should find it.


----------



## Mosaic1 (Aug 17, 2001)

Remember, it is a script. Attribute.txt is the results file it created. But attribute.txt will be in the same folder.


----------



## Roe727 (Mar 9, 2004)

I'm not sure what happened to it, I can only find the text that is the results. I'm still looking for it. When/If I find it I'll run it. Sorry.


----------



## Mosaic1 (Aug 17, 2001)

Here it is again. I have to take a break for a while. I'll be back after lunchtime.


----------



## Roe727 (Mar 9, 2004)

No problem..Thanks. See you later.


----------



## Roe727 (Mar 9, 2004)

Sorry about that attribute file. I have sooo many. Anyway, I attached it and I deleted the c:\windows\temp and I'm going to look at the identities hijackthis after I feed this baby. I'll post back soon.


----------



## Roe727 (Mar 9, 2004)

Here's the file.


----------



## Mosaic1 (Aug 17, 2001)

Just checking in for a second. See you shortly.


----------



## Mosaic1 (Aug 17, 2001)

That last file you uploaded was from system32 again.



> When the Input box appears, Type
> C:\windows


----------



## Mosaic1 (Aug 17, 2001)

I see in this one that some of the nasty files are back and named as copy of. Somehow they were copied. I'll get you a list of those to delete again. Please be careful and do not press copy. Press delete when you right click on these files. Please go back over all the lists I gave you and be sure you didn't create copies of the files you were deleting. They would be named copy of and then the filename or copy2 of and then the filename.


----------



## Roe727 (Mar 9, 2004)

Here ya go...


----------



## Mosaic1 (Aug 17, 2001)

Roe,

I looked at that other you sent and you made many copies of files I asked you to delete. I am asking you to be careful. I am not able to triple check everything you do. My eyes are bad and reading these reports is taking a harsh toll. I will not be responsible if you do not follow my directions and do notremove the files you have been asked or make copies. One click on an exe and a lot of these things will be right back. People have a tendency to click on files even when they do not know what they are. 
I am trying to scour that hard drive and remove anything I can which is dangerous. I cannot re-post all my directions. Please go back and be sure you deleted and did not make copies of files and folders.


----------



## Roe727 (Mar 9, 2004)

Ok...I'll recheck.


----------



## Mosaic1 (Aug 17, 2001)

Good. Remember that a lot will be renamed as copy of or copy(1) etc


----------



## Roe727 (Mar 9, 2004)

I rechecked and removed any copies...I have a question, can something be putting them back on? Because there was like 4 copies of some of these files. I know I didn't do that. I could have done one copy by mistake or something, but not 4. And I know you can't recheck everything I'm doing. I'm trying to be careful.


----------



## Mosaic1 (Aug 17, 2001)

Ir would be odd to have something creating several copies of files instead of just putting back the deleted file. When you get a chance, run Hijackthis on that account again please. 

The idea is to not have these running. But again, I do want to remove the chance of someone clicking on one of these files and reinfecting. And we have yet to see what is in the other identities' startups.


----------



## Roe727 (Mar 9, 2004)

Tell me what you think. Those are the 3 that I can log on to...Administrator, Susan Zweig and Jamerson.


----------



## Mosaic1 (Aug 17, 2001)

Lookiong at your attribute2.txt and am seing the same thing. Please check the windows folder for copies.

Would you use the script to create a new attribute.txt for the
C:\windows folder please.

I am not going to use this one with all the copies listed.


----------



## Mosaic1 (Aug 17, 2001)

Good. May I see a hijackthis log from the first one please? We'll do those one at a time or it can get very confusing.

But first, I would like to see a log from the Profile you are on now and that second attribute.txt from the windows folder. That other was loaded with copies again.


----------



## Roe727 (Mar 9, 2004)

A hijack log from the first one?? 

I have attached another attribute log


----------



## Mosaic1 (Aug 17, 2001)

Yes. But before you sign on to another identity, I want to see a log from the Susan Identity first please. We can't be too careful.


----------



## Roe727 (Mar 9, 2004)

I already ran all 3....in post 146 you said "Is it possible for you to sign in as the other identities? If so, one at a time I want you to do that and then run Hijackthis. We need to see what if anything they show.".....I hope I didn't screw anything up. They are attached to post #164. I'm sorry if I misunderstood.


----------



## Mosaic1 (Aug 17, 2001)

c:\windows

Delete these files:
autoheal.exe
beno.dll
e2g25.exe
icont.exe
iconu.exe
iconw.exe
jtnezabz.exe
jtnezabzu.exe
loads.exe
setup_silent_26223.exe
ss3unstl.exe
sskb5.exe
SSK_B5.EXE
UninstHurricane.exe
VT00.exe
Wrapper.exe 

--------------------

bkdsp.exe Not Sure, they may have Visual Studio and have written this program. Ask them before you do anything. IF they are in the dark, then delete it.

easter.exe Not sure on this one either. 


unstall.exe Not sure again. Looks to be an uninstall from a home 
made project. Ask them before you delete. 


4295.exe Not sure. May I see a copy of this file please? Zip and email as an attchment to me at 
Katie_3232 @hotmail.com

Remove the space from the address for it to work.


----------



## Roe727 (Mar 9, 2004)

I send that file...I called her and she doesn't have a clue about any of this, should I delete them?


----------



## Mosaic1 (Aug 17, 2001)

Yes.

* First sign on to jamerson. Run the old hijackthis.*

Select the following and press the fix checked button. 
*

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50043
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netspry.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll (file missing)
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\SurfSideKick 2\\Jamie Zweig\HXDL.EXE -silent
O4 - HKCU\..\Run: [TV Media]C:\Program Files\SurfSideKick 2\\Tvm.exe
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: Ebates - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: Ebates - {7F241C00-DAB6-11d5-AAA8-0001028DF1BC} - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm (file missing) (HKCU)
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com *

Be sure these folders are really deleted:

C:\Program Files\SurfSideKick 2
C:\program files\ClockSync
C:\Program Files\couponsandoffers
C:\Program Files\EbatesMoeMoneyMaker
C:\Program Files\Web_Rebates
C:\Program Files\WebSavingsfromEbates

You are still using an older version of hijackthis.

Go here and update it please:
http://www.merijn.org/files/hijackthis.zip

After, Run Jamerson again with the new Hijackthis and post that log as a follow up please.


----------



## Mosaic1 (Aug 17, 2001)

I chacked my email and it hasn't arrived. Did you remove the space from the email address?


----------



## Roe727 (Mar 9, 2004)

I checked in Jamerson's program files and none of those you have listed are there. Here's another hijackthislog from the new version:

Logfile of HijackThis v1.99.0
Scan saved at 2:48:34 PM, on 2/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Jamie Zweig\Local Settings\Temp\Temporary Directory 1 for hijackthisnewversion.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aim.aol.com/errors/MISMATCH_PASSWD.html
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-6.0.1.20/squelchies/squelchies-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet/peaks/peaks-ob-assets.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr_ext.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


----------



## Roe727 (Mar 9, 2004)

Yes I did...snail mail sometimes.

I've attached it below.


----------



## Mosaic1 (Aug 17, 2001)

Thanks. That log is clean, But you are running Hijackthis from a temp directory. Befreo you use the new version again, create a new folder in My documents or on the desktop and extract hijackthis.exe to it. 

I have the file now. Please edit your post and delete the attachment. We want to keep these files out of the wrong hands.


----------



## Mosaic1 (Aug 17, 2001)

Ok that file is another pest installer. Go ahead and delete it. Also if there was a folder named 4295, delete that as well.


----------



## Mosaic1 (Aug 17, 2001)

This is a checklist for your friends and it is extremely important that these be done.

Things to do ASAP and before surfing anywhere:

Be sure your firewall is working. Do not use The Windows Firewall.

Go to AOL and change Passwords. All of them.

Any banking or other passwords or sensitive information should be changed! I am not sure how much privacy they have, let's not take any chances.

Go to Windows Update and install all Security Patches!
Go and update Norton, AD-Aware and Spybot.

Run Norton, AD-aware and Spybot.

Go back online and get free AV scans:

http://housecall.trendmicro.com/housecall/start_corp.asp 
http://www.pandasoftware.com/activescan/

Allow them to clean
----------------

Go here and get one of the free trials of an Anti Trojan and scan for Trojans. 
http://www.wilders.org/anti_trojans.htm
---------------------------------------


----------



## Roe727 (Mar 9, 2004)

ok...4295 is gone from the jamerson identity. I will pass this list along and make sure she does it. Thanks.


----------



## Mosaic1 (Aug 17, 2001)

Good. Let me know how it goes when they connect. I am still not happy about the dell.dll situation. We never fond its load location. And it is described clearly. So this was likely a new version and it loaded from elsewhere. Are you up for one more test?


----------



## Roe727 (Mar 9, 2004)

sure....are we ready to get on the internet???? And hey how are the cupcakes?


----------



## Mosaic1 (Aug 17, 2001)

StartDreck didn't show dell.dll under Explorer.exe where it would have been loaded. I am not sure if this next utility I want to use would have done any better. But I feel a responsibility to have one final look if you are up to it.

Forst go to Control Panel>Internet Options. Set the IE home PAge to About:Blank for now. Do that by clicking the Use Blank Button.

PV is a utility to find which dlls are loaded under an exe.

Download pv.zip here
http://www.downloads.subratam.org/pv.zip

Extract to its own folder. Be sure at least one Internet Explorer window is open when you run this.

Double click on runme.bat do not touch anything else in the folder. The other files are not going to be used here.

Select #2 on the menu and press enter to get a log of what is loaded under Iexplore.exe (Internet Explorer)

The log will open. Copy and paste.

We'll look to see if anything is there.


----------



## Mosaic1 (Aug 17, 2001)

The cupcakes are delicious. Devil's food with home made fudge frosting. 

Yes. I think the true test will be the Internet. And the rest of what needs tobe done onthat list I gave you has to be done there. It's like sending your first born off to school the first day. Very nerve wracking!

We have a cuple of very quick follow ups to this too. But those hosld only take a minute. At the beginningm flrman told you to download The Hoster and install. Were you able to do that?

And also, we have been using the Recyce Bin so I think it's working ok. sometimes this thing damages it.
I have another concersn. NTFS ADS those are Alternate Data Streams. Some of the filenames I saw could indicate you have some of those.

We'll deal with the ADS after everything else is finished.


----------



## Roe727 (Mar 9, 2004)

when in Jamerson identity when it goes to the screensaver it goes to the screen where both names are, as if you are just signing on....I clicked on Jamerson and it came right back up, why would it be doing this.


----------



## Roe727 (Mar 9, 2004)

Does it matter which identity I do this under?


----------



## Mosaic1 (Aug 17, 2001)

That's a Windows Feature. Go to the desktop, right click and choose properties, click the Screensaver tab and have a look. Notice the box labeled:
On Resume Password Protect. That is what is causing the Welcome Screen to reappear after the screensaver runs.


----------



## Mosaic1 (Aug 17, 2001)

Probably not. Dell.dll was loaded under Local Machine. I would bet you it loaded from all identities. Anything we'd be looking at under pv would likely show from any identity, if it shows or is there.


----------



## Roe727 (Mar 9, 2004)

Here is the log, it was run under Jamerson identity since I had that up. No, I didn't run that other thing you were talking about "The Holster"....I'll have to go back in the logs to find it, I don't remember doing it.

Module information for 'iexplore.exe'
MODULE BASE SIZE PATH
iexplore.exe 400000 102400 C:\Program Files\Internet Explorer\iexplore.exe 6.00.2800.1106 (xpsp1.020828-1920) Internet Explorer
ntdll.dll 77f50000 684032 C:\WINDOWS\System32\ntdll.dll 5.1.2600.1217 (xpsp2.030429-2131) NT Layer DLL
kernel32.dll 77e60000 942080 C:\WINDOWS\system32\kernel32.dll 5.1.2600.1560 (xpsp2_gdr.040517-1325) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL
USER32.dll 77d40000 573440 C:\WINDOWS\system32\USER32.dll 5.1.2600.1561 (xpsp2_gdr.040517-1325) Windows XP USER API Client DLL
GDI32.dll 7f000000 266240 C:\WINDOWS\system32\GDI32.dll 5.1.2600.1561 (xpsp2_gdr.040517-1325) GDI Client DLL
ADVAPI32.dll 77dd0000 577536 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Advanced Windows 32 Base API
RPCRT4.dll 78000000 552960 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1361 (xpsp2.040109-1800) Remote Procedure Call Runtime
SHLWAPI.dll 70a70000 430080 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1584 (xpsp2.040720-1705) Shell Light-weight Utility Library
SHDOCVW.dll 71700000 1343488 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2800.1606 Shell Doc Object and Control Library
comctl32.dll 773d0000 1056768 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 6.0 (xpsp_sp2_rtm.040803-2158) User Experience Controls Library
SHELL32.dll 4f510000 8458240 C:\WINDOWS\system32\SHELL32.dll 6.00.2800.1580 (xpsp2.040720-1705) Windows Shell Common Dll
comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library
ole32.dll 771b0000 1196032 C:\WINDOWS\system32\ole32.dll 5.1.2600.1362 (xpsp2.040109-1800) Microsoft OLE for Windows
uxtheme.dll 5ad70000 212992 C:\WINDOWS\System32\uxtheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft UxTheme Library
BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2800.1584 Shell Browser UI Library
browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Browser UI Library
appHelp.dll 75f40000 126976 C:\WINDOWS\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library
CLBCATQ.DLL 7c890000 528384 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.53 
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42 
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
WININET.dll 63000000 614400 C:\WINDOWS\system32\WININET.dll 6.00.2800.1468 Internet Extensions for Win32
CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32
MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.1362 (xpsp2.040109-1800) ASN.1 Runtime APIs
Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface
cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Client Side Caching UI
CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
SETUPAPI.dll 76670000 946176 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Setup API
urlmon.dll 1a400000 499712 C:\WINDOWS\system32\urlmon.dll 6.00.2800.1479 OLE32 Extensions for Win32
mshtml.dll 63580000 2736128 C:\WINDOWS\System32\mshtml.dll 6.00.2800.1479 Microsoft (R) HTML Viewer
shdoclc.dll 76170000 557056 C:\WINDOWS\System32\shdoclc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Doc Object and Control Library
MLANG.dll 74770000 585728 C:\WINDOWS\System32\MLANG.dll 6.00.2600.0000 (xpclient.010817-1148) Multi Language Support DLL
msi.dll 1500000 2101248 C:\WINDOWS\System32\msi.dll 2.0.2600.1106 Windows Installer
SXS.DLL 75e90000 708608 C:\WINDOWS\System32\SXS.DLL 5.1.2600.1579 (xpsp2.040720-1705) Fusion 2.5
msimtf.dll 746f0000 155648 C:\WINDOWS\System32\msimtf.dll 5.1.2600.1106 (xpsp1.020828-1920) Active IMM Server DLL
MSCTF.dll 74720000 278528 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.1106 (xpsp1.020828-1920) MSCTF Server DLL
MSLS31.DLL 746c0000 159744 C:\WINDOWS\System32\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file
IMM32.DLL 76390000 114688 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Windows XP IMM32 API Client DLL
msohev.dll 32520000 73728 C:\Program Files\Microsoft Office\Office10\msohev.dll


----------



## Mosaic1 (Aug 17, 2001)

I'll find the hoster Directrions for you and post them again. We are runninglate and I know you need to leave.

There's one more thing if you would. Either now of later. 
Remember before I mentioned ADS (Alternate Data Streams)? Hijackthis has a utility to see and remove ADS.

If you open hijackthis and click on the config button. On the next page click the Misc Tools button.

Look for the open Ads Spy button. Press scan and then save log when finished. Post your results.


----------



## Mosaic1 (Aug 17, 2001)

The pv log looks clean. That's the best we can do for now.

Download the Hoster from this link:
http://members.aol.com/toadbee/hoster.zip

Unzip it to your desktop.

Run the Hoster and click "Restore Original Hosts" and press "OK" then Exit the Hoster.


----------



## Roe727 (Mar 9, 2004)

It came up empty.


----------



## Mosaic1 (Aug 17, 2001)

No Ads were found then. I got you the Hoster Driections. Go ahead and do that. It's one more layer of protection for them.


----------



## Roe727 (Mar 9, 2004)

Ran Hoster. Tomorrow I will be hooked up to the internet and make the appropriate updates. Will you be around at all?


----------



## Roe727 (Mar 9, 2004)

Should I delete all these programs we put on her when we are completely finished?


----------



## Mosaic1 (Aug 17, 2001)

Yes. I will. In the afternoon. Is that good for you?


----------



## Mosaic1 (Aug 17, 2001)

Go ahead and clean those up. Sure.


----------



## Roe727 (Mar 9, 2004)

Yes the afternoon is fine, what I"m going to do is put it on in the morning and work on the updates so that when you arrive I will be done. I still have to deal with the security issues too. They have to be upped bigtime.


----------



## Mosaic1 (Aug 17, 2001)

You better have a look at this. I just saw it.

http://forums.techguy.org/t328992.html


----------



## Mosaic1 (Aug 17, 2001)

Ok good luck with it. If you feel anything is not right, disconnect and run hijackthis. See if there have been any changes.


----------



## Mosaic1 (Aug 17, 2001)

This next is important.

Be sure everything is in working order.Then it is time to flush your system restore points. Once you do that you will not be able to correct any problems you may have now by going back to a point before today. Although the computer was such a mess any old restore point would return it to that condition along with reinstalling all that Spyware. 


After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points. 

Go to Start>Run and type msconfig Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.

Check the box labeled Turn off System restore. 


Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.


----------



## Roe727 (Mar 9, 2004)

Do I do that before going on the internet?????


----------



## Roe727 (Mar 9, 2004)

Yuck...isn't that nice.


----------



## Mosaic1 (Aug 17, 2001)

I'll tell you what. Be sure you can get on the internet before you flush the restore points. If there is a problem wait for me and we'll see if we can fix it. If you have internet Connectivity, go ahead and flush them. Then do the updates etc.


----------



## Mosaic1 (Aug 17, 2001)

Want my opinion? These nasty authors should be sentenced to life on a bus where they would go from house to house fixing problems they and their buddies cause. And no formats allowed. Jail is too easy for them. Of course it would help if we had some help from our governments.


----------



## Roe727 (Mar 9, 2004)

What kinds of problems am I looking for?????


----------



## Mosaic1 (Aug 17, 2001)

Just if your home page changes or you notice a huge and sudden slow down. Anything odd. I am not sure how you are going to connect. Your connection?


----------



## Roe727 (Mar 9, 2004)

Oh no...wait...she has dial up at her house, I have VerizonDSL, is that going to be a problem connecting it here??


----------



## Roe727 (Mar 9, 2004)

I was going to disconnect my computer and hook up her's but now I don't know that I can do that?


----------



## Mosaic1 (Aug 17, 2001)

I amnot sure. What kind of connection do you have? And there is the matter of the ISP and its software.


----------



## Roe727 (Mar 9, 2004)

Verizon DSL Modem, but I was thinking I could connect to the wall so that I don't have to fool with the config. I think she is using AOL...I hate AOL.


----------



## Mosaic1 (Aug 17, 2001)

I don't know. Let me ask Candy to take a look at this one. I have dial up. I Does she have a firewall? Dont go anywhere without one.


----------



## ~Candy~ (Jan 27, 2001)

I see from her hijack this log, the sick computer is running AOL 9.

There should be no reason she can't use the dialup from her house. Now, as to the firewall, I didn't see one running and am not that familiar with AOL Hell to know if it may have a built in one, but I kinda doubt. I haven't used AOL since about version 5 or 6.


----------



## ~Candy~ (Jan 27, 2001)

http://www.washingtonpost.com/ac2/wp-dyn/A15928-2004Nov27?language=printer

Loading either AOL 9's firewall or antivirus software takes just a few minutes. Make sure you're not typing any e-mail while the antivirus installer downloads; once it's ready, it will start its setup routine without further notice, kicking you off AOL in the process.


----------



## Mosaic1 (Aug 17, 2001)

Thanks Candy. Good idea about the Firewall. Wasn't that other computer on DSL? I wonder if it has a Modem in the case? Probably it does. Or possibly I am not remembering correctly.


----------



## Mosaic1 (Aug 17, 2001)

Duh!


----------



## ~Candy~ (Jan 27, 2001)

Well, remember she is working on someone else's computer, not one that is always in her house. So if they connect thru AOL, I'm guessing there must be a modem in the computer. Sounds like SHE connects at her house thru DSL. At least that is the impression I'm getting. She signed off AIM so I can't double check.........


----------



## Mosaic1 (Aug 17, 2001)

You're right. I didn't go back and read. The entire time the sick computer has been disconnected. I don't know why I thought it was using DSL on AOL at home.


----------



## Roe727 (Mar 9, 2004)

OK....I'm not sure if she has a firewall. After reading the link that Candy put in there, it seems that AOL 9.0 does have a firewall, but I'm still not completely sure. Can I download a firewall onto a disc and install it prior to connecting onto the internet?? Also any suggestions on which one?? Otherwise I'm probably going to just try to connect through the wall, dial-up...NOT my modem so that I don't have to change the configurations at all and it just might be easier. (Is anything easy with this computer mess.) Any additional thoughts ? Oh yeah, and Katie when should I delete those files in the recycling bin, AFTER I make sure I connect and everything is running?


----------



## Roe727 (Mar 9, 2004)

Yes is is disconnected and what a pain it has been to download from my son's laptop and upload everything...that is why I was so confused on refinding some of the programs that you wanted me to run. Oh well.....LOL Hopefully, this time tomorrow we can celebrate another rebirth.


----------



## Roe727 (Mar 9, 2004)

I'm looking at the AOL Help and it looks like AOL 9.0 does have a firewall. I just wish I could check on it to make sure it is enabled.


----------



## Mosaic1 (Aug 17, 2001)

This is a quote from the Link CAndy gaveL
A "Safety on My PC" panel on AOL 9 SE's sign-on window should, however, remind you to install these extras. This display concisely summarizes what kinds of protection you have or need. It's smart enough to check to see if you're already running a different firewall or antivirus program, although it doesn't report if that virus protection is up to date.


----------



## Roe727 (Mar 9, 2004)

I'm hooked up through my modem and I have updated Norton ran it and got 2 infected files: DC154.exe and DC339.exe and I quarantined them. I updated AdAdware and ran it 3 times, first time over 400, second time about 60 and third time 5. BargainBuddy keeps coming up. I'm going to search for that again. I updated Spybot and it came up clean. I ran cwshredder and this is the log:
CWShredder v1.53.1 scan only report

Windows XP (5.01.2600 SP1)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system32
AppData folder: C:\Documents and Settings\Susan Zweig\Application Data
Username: Susan Zweig

Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (686 bytes, A)
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\SYSTEM32\Userinit.exe,
Registry value: DefaultPrefix (should be http://) [] http://
Registry value: WWW Prefix (should be http://) [www] http://
Registry value: Mosaic Prefix (should be http://) [mosaic] http://
Registry value: Home Prefix (should be http://) [home] http://
Found Win.ini file: C:\WINDOWS\win.ini (707 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (292 bytes, A)

I have to pickup a child at preschool and when I come back I will look into the firewall and run a hijackthis log.

Still have to change the security settings and see about the start-up menu in msconfig.


----------



## Roe727 (Mar 9, 2004)

I installed a Zone Alarm Firewall and ran a hijackthis log.

Logfile of HijackThis v1.99.0
Scan saved at 1:14:56 PM, on 2/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Susan Zweig\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R3 - Default URLSearchHook is missing
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-6.0.1.20/squelchies/squelchies-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet/peaks/peaks-ob-assets.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr_ext.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Let me know what you think.
Thanks!


----------



## Mosaic1 (Aug 17, 2001)

The log looks great. Very clean. Good job. I know this has been a long ordeal.

The DC Means those files were in the Recycle Bin.

We didn't remove everything. That would have been impossible, There are orphaned leftovers in the registry and on the hard drive. We tried to remove the most dangerous files. I was hoping that the updated scans would find some of those and clean them up as a matter of housekeeping.

Look at your Ad-Aware Log and see what is says about Bargain Buddy. Where is it?



> Still have to change the security settings and see about the start-up menu in msconfig.


 The security settings are essential. If this machine is on the internet, you need to protect it.

Have you gone to Windows Update yet? This is essential too. A lot of these things were installed because of lax security settings, dangerous surfing habits, file sharing or installing freeware, and a possible lack of the current Updates.

We see the startups in Hijackthis and have cleaned them up. What more did you want to remove? I believe the rest wold be personal choices and it is very lean now. MsConfig will show the same items. Plus any disabled ones (Not fixed using Hijackthis, but deselected using Msconfig) will be unchecked.

Did you flush the restore points yet?

Changing those passwords is a priority too.

In Hijackthis, this can be fixed:
R3 - Default URLSearchHook is missing

Look good. How is it running and shutting down?


----------



## Roe727 (Mar 9, 2004)

I'm looking in program files and I have some questions as to what some of these are:
AOD
BPT
CONEXANT
Electronic Arts--inside folder that reads Network Play system
Filesubmit--inside folder marked A Jeweled Christmas
messenger-- but it is not her AIM
SAT--folders inside that are marked logs, profiles
TryMedia
XML

Can any of these be deleted?


----------



## Mosaic1 (Aug 17, 2001)

I wasn't sure on some of those and so left them. That's wise, and since there was so much, I didn't dig deeper. 

Conexant is the Modem. Leave that.

messenger-- That's msn messenger. Leave that.


I wouldn't remove anything else unless either AD-aware, Norton or Spybot marked it. A jeweled Christams was either a game or a Screensaver I think. A lot of that stuff can contain trojans or other malware. 

Unless we knew what is inside these folders, and it was dangerous, I left them.
You'll see leftover folders in the windows Folder too. Some belong to games we uninstalled. The reason I didnt have you empty the recycle bin was as insurance against deleting the wrong item. It happens. If in a week or two, everything is running with no problems and no missing files, that Bin and the Norton Protected Bin need to be emptied too.

Agian, there are leftovers. ini files and others. But we can't do it all. I never delete anything unless I know what it is. ini files are only read by the programs which use them. They are doing nothing and woh't as an example.


Have you run the Online AV scans yet? One AV is not going to see everything. Running those other two will likely find other leftovers and help to clean up more.


----------



## Roe727 (Mar 9, 2004)

I will run Ad-Adware again and if it comes up I will let you know the exact location. I know it was in the registry. 

I'm going to do Windows updates next and housecall.

I did run the restore.

Seems to be running well and shutting down fine.

Can you help me with the security or is there a link I can look at?


----------



## Mosaic1 (Aug 17, 2001)

Regarding those leftovers. If you want to go into the Folders and tell me what's in there, we can have a closer look.

If what Ad-Aware is finding is in the registry we can expect that. We didnt' clean up most of those leftovers because that would involve tremendous hours. I would literally have to see the registry. Since many of the entries do nothing, especially without the files present and have no effect on the system they are left in place in the hopes that one of the utilities which uses a database will clear them.

Remember this link I gave you? It will help with the security settings:

http://www.computercops.biz/postt7736.html


----------



## Roe727 (Mar 9, 2004)

Ok...Thanks.


----------



## Mosaic1 (Aug 17, 2001)

You're welcome. I think this should be the last leg. Once you finish all the scans and updates you should be good to go. Let me know how you do.


----------



## Roe727 (Mar 9, 2004)

I will....I will post back shortly


----------



## Mosaic1 (Aug 17, 2001)

No hurry. I am on my way out to the Grocery store in a few minutes. I'll be back in about an hour or a little longer.


----------



## Roe727 (Mar 9, 2004)

I am running Housecall and came up with a bunch. Stand by....Most look like they are in the reclycling bin, but a few are not.


----------



## Roe727 (Mar 9, 2004)

TroJ RVP.D ---Program files, common files
Troj Keenvalue.A,---Program Files, common files
troj Dloader.BE--recyclers
Troj Websearch.A--recyclers
Troj Sahagent.A---recyclers
Troj VB.CAC---recyclers
Troj Narrator.A--recyclers
Troj websearch.A--recyclers
Troj Agent.BT--recyclers
Troj TVMedia.DR. --recyclers
Troj Small.SN--recyclers
Troj Uploader.F--recyclers...............this one is listed 4 times
Troj Zapchast.J--C:\System Volume Information----this one is listed 2 times
Troj QDown.L--C:\Windows\Downloaded Programs

And it is still running.


----------



## Mosaic1 (Aug 17, 2001)

Allow the ones found in the Recycler( bin) to be deleted. Those are the files you deleted. 

Let it clean the rest. One is located in the system Restore files. No AV is allowed to remove anything in there. So after you are finished, flush the Restore again and create a new restore point.


----------



## Roe727 (Mar 9, 2004)

And I have to run it again, because I was posting at the same time you were and it deleted it...there were 23 in all.


----------



## Roe727 (Mar 9, 2004)

I'm going to reboot because I did the windows updatea nd let it run again to give you the other ones....the other 22 Katie, were uncleanable...


----------



## Roe727 (Mar 9, 2004)

I'm rerunning Housecall and I will delete the ones marked recycler. I have changed the security settings per that link.

Can I change the homepage to something now?

What do I do about these other ones that came up on Housecall??


----------



## Roe727 (Mar 9, 2004)

When you tell it to delete them, does it delete them from the recycling bin or just the list?


----------



## Roe727 (Mar 9, 2004)

Ok...Here's the list of uncleanable ones....this is from Housecall:

TroJ RVP.D ---Program files, common file\Java\xclean.exe
Troj Keenvalue.A,---Program Files, common files\Keenvalue\wupdater.exe
Troj Zapchast.J---C:\System Volume Information\_restore (B37680B2-BA0Aand there's more that I can't see---this is listed twice
Troj QDown.L--C:\WINDOWS\DOWNLOADED PROGRAM Files\QDow_AS2.dll
BKDR Adbreaker.D--C:\Windows\System32\lm6um.dll
Troj Downloadr....Windows\mm21.ocx
Troj Winreg.C....\pz.exe
Reg Lowzones.A....C:\trofkz.REG


----------



## Mosaic1 (Aug 17, 2001)

It deletes the files. 

Uncleanable. double check that these are gone>

C:\Program files\common files\Java\xclean.exe
C:\Program Files\common files\Keenvalue\wupdater.exe In fact, delete the entire KeenValue Folder there.
C:\Windows\System32\lm6um.dll
C:\Windows\mm21.ocx
pz.exe
C:\trofkz.REG


----------



## Mosaic1 (Aug 17, 2001)

I want to have a look at something else too please.


I am attaching a zip file. Extract the bat it contains to its own folder on the desktop.


Double click on DPF.bat
It will produce and open a file named DPF.txt

Paste the contents of that here please.


----------



## Roe727 (Mar 9, 2004)

I made sure that they were gone. Anything else that you can think of that I need to do...It is running well. Thank you soooo soooo much. You have been great throughout this whole thing and I know it was a very complicated job.


----------



## Roe727 (Mar 9, 2004)

I didn't see that zip file...I'm doing it now...
I'll post back in a minute.


----------



## Mosaic1 (Aug 17, 2001)

You're very welcome. Good work. That last file I uploaded will allow us to see a list of files in a folder which normally doesn't allow that. There was something found there in your scans, so I want to have one more look there. 

To be honest, we could have gone out to the internet sooner. I wasn't sure how, who and when, so I tried to clean up as much as possible manually first. 

It looks great. Other things to tell your friends along with changing the passwords and whatever else is on that checklist:

Often these things set it up so that when a new User is created, their home and search pages point to the nasty site. If they create a new user, run Hijackthis and fix that.


Your friends are in need of some changes. One thing would be to install Mozilla Firefox and use that as their Browser. It is more secure than IE at the moment.

Regularly updating all the Security Programs like Norton, Ad-Aware, Spybot and those others you installed. Running them once a week. Looking at how the hijackthis log should look as it does now and tracking any changes will alert them to problems.


File sharing is dangerous. Installing free programs can get you mlore than yo bargained for. We all have to take charge of our Surfing habits. 

The Internet is not a friendly place. It's loaded with predators who install and can just about ruin the Computer and don't give a darn if they do. 


It's a shame.


----------



## Roe727 (Mar 9, 2004)

Here ya go:

Volume in drive C has no label.
Volume Serial Number is 1833-DDD3

Directory of C:\WINDOWS\Downloaded Program Files

02/11/2005 05:02 PM .
02/11/2005 05:02 PM ..
01/26/2005 04:03 PM 110,592 asinst.dll
01/27/2005 09:09 AM 525 asinst.inf
02/25/2004 03:48 PM 403 ATPartners.inf
12/17/2004 02:48 PM CONFLICT.1
11/22/2004 05:47 PM CONFLICT.10
11/30/2004 03:30 PM CONFLICT.11
02/06/2005 08:21 PM CONFLICT.2
12/17/2004 12:20 AM CONFLICT.3
12/17/2004 12:29 AM CONFLICT.4
11/29/2004 11:01 PM CONFLICT.5
11/30/2004 04:24 PM CONFLICT.6
11/30/2004 06:53 PM CONFLICT.7
11/18/2004 06:15 PM CONFLICT.8
11/20/2004 08:20 PM CONFLICT.9
09/03/2002 09:57 AM 65 DESKTOP.INI
10/14/1997 07:52 PM 697 DirectAnimation Java Classes.osd
11/11/2003 01:45 PM 2,252 dm.inf
02/11/2005 05:02 PM 0 DPF.txt
11/22/2004 10:22 PM 116,184 dwnldr.dll
11/22/2004 10:18 PM 301 dwnldr.inf
10/12/2003 05:34 PM 115,848 exentctl_0_0_0_1.ocx
09/15/2003 06:49 PM 388 imbum.inf
11/29/2004 07:47 PM 25,472 install007.exe
12/09/2004 10:56 AM 32,768 installer_ICMEDIAX.exe
06/18/2003 05:01 PM 691 McGDMgr.inf
02/20/2003 12:04 PM 678 mcinsctl.inf
01/20/2000 02:25 PM 1,162 Microsoft XML Parser for Java.osd
08/18/2004 01:57 PM 1,088 qdiagcc.inf
09/13/2002 09:56 AM 144 QTPlugin.inf
11/30/2004 03:27 PM 159,744 SAHAgent_.exe
06/27/2004 09:07 PM 32,768 SahHtml_.exe
11/30/2004 03:36 PM 31,744 SAHUninstall_.exe
10/13/2004 10:56 AM 1,187,840 search3.dll
05/29/2002 11:12 PM 9,488 sporder.dll
05/29/2002 10:12 PM 9,488 sporder_.dll
10/25/2004 04:05 AM 4,390 Squelchies by pogo.osd
11/09/2004 08:33 AM 127 svcmm32.inf
12/08/2003 12:58 PM 3,759 swflash.inf
03/23/2004 02:43 AM 4,151 Tri-Peaks by pogo.osd
09/10/2004 08:05 AM 138,616 WrapperOuter1154.EXE
11/04/2004 12:34 AM 252,704 WrapperOuter1154041029.EXE
11/07/2004 05:23 AM 252,704 WrapperOuter1154041105.EXE
11/09/2004 06:16 PM 252,704 WrapperOuter1154041108.EXE
12/09/2004 12:22 PM 140,064 WrapperOuter1154041207.EXE
09/11/2004 07:09 PM 138,616 WrapperOuter1155.EXE
02/04/2004 02:17 PM 185 WUInst.inf
03/24/2004 06:17 PM 1,777 xscan.inf
03/24/2004 05:22 PM 435,712 xscan53.ocx
37 File(s) 3,465,839 bytes

Directory of C:\WINDOWS\Downloaded Program Files\CONFLICT.1

12/17/2004 02:48 PM .
12/17/2004 02:48 PM ..
09/27/2004 08:58 AM 71,800 HDPlugin1019.dll
12/09/2004 10:56 AM 32,768 installer_ICMEDIAX.exe
09/10/2004 08:05 AM 138,616 WrapperOuter1154.EXE
11/04/2004 12:34 AM 252,704 WrapperOuter1154041029.EXE
11/07/2004 09:20 AM 252,704 WrapperOuter1154041105.EXE
11/09/2004 06:16 PM 252,704 WrapperOuter1154041108.EXE
12/13/2004 10:10 PM 140,064 WrapperOuter1154041207.EXE
09/13/2004 07:09 AM 138,616 WrapperOuter1155.EXE
8 File(s) 1,279,976 bytes

Directory of C:\WINDOWS\Downloaded Program Files\CONFLICT.10

11/22/2004 05:47 PM .
11/22/2004 05:47 PM ..
11/22/2004 05:44 PM 252,704 WrapperOuter1154041108.EXE
1 File(s) 252,704 bytes

Directory of C:\WINDOWS\Downloaded Program Files\CONFLICT.11

11/30/2004 03:30 PM .
11/30/2004 03:30 PM ..
11/30/2004 03:28 PM 252,704 WrapperOuter1154041108.EXE
1 File(s) 252,704 bytes

Directory of C:\WINDOWS\Downloaded Program Files\CONFLICT.2

02/06/2005 08:21 PM .
02/06/2005 08:21 PM ..
09/27/2004 09:58 AM 71,800 HDPlugin1019.dll
09/27/2004 09:58 AM 868 HDPlugin1019.inf
12/09/2004 10:56 AM 32,768 installer_ICMEDIAX.exe
09/10/2004 08:05 AM 138,616 WrapperOuter1154.EXE
11/07/2004 08:53 PM 252,704 WrapperOuter1154041105.EXE
11/09/2004 06:16 PM 252,704 WrapperOuter1154041108.EXE
12/15/2004 11:26 AM 140,064 WrapperOuter1154041207.EXE
09/20/2004 12:39 PM 138,616 WrapperOuter1155.EXE
8 File(s) 1,028,140 bytes

Directory of C:\WINDOWS\Downloaded Program Files\CONFLICT.3

12/17/2004 12:20 AM .
12/17/2004 12:20 AM ..
09/27/2004 09:58 AM 71,800 HDPlugin1019.dll
09/27/2004 09:58 AM 868 HDPlugin1019.inf
12/09/2004 10:56 AM 32,768 installer_ICMEDIAX.exe
10/03/2004 11:00 PM 138,616 WrapperOuter1154.EXE
11/08/2004 07:45 AM 252,704 WrapperOuter1154041105.EXE
11/13/2004 01:04 AM 252,704 WrapperOuter1154041108.EXE
10/14/2004 08:15 PM 138,616 WrapperOuter1155.EXE
7 File(s) 888,076 bytes

Directory of C:\WINDOWS\Downloaded Program Files\CONFLICT.4

12/17/2004 12:29 AM .
12/17/2004 12:29 AM ..
09/27/2004 09:58 AM 71,800 HDPlugin1019.dll
12/09/2004 10:56 AM 32,768 installer_ICMEDIAX.exe
10/04/2004 10:41 AM 138,616 WrapperOuter1154.EXE
11/08/2004 07:45 AM 252,704 WrapperOuter1154041105.EXE
11/16/2004 10:21 AM 252,704 WrapperOuter1154041108.EXE
5 File(s) 748,592 bytes

Directory of C:\WINDOWS\Downloaded Program Files\CONFLICT.5

11/29/2004 11:01 PM .
11/29/2004 11:01 PM ..
09/27/2004 09:58 AM 71,800 HDPlugin1019.dll
09/27/2004 09:58 AM 868 HDPlugin1019.inf
10/29/2004 09:33 AM 138,616 WrapperOuter1154.EXE
11/16/2004 10:21 AM 252,704 WrapperOuter1154041108.EXE
4 File(s) 463,988 bytes

Directory of C:\WINDOWS\Downloaded Program Files\CONFLICT.6

11/30/2004 04:24 PM .
11/30/2004 04:24 PM ..
09/27/2004 09:58 AM 71,800 HDPlugin1019.dll
09/27/2004 09:58 AM 868 HDPlugin1019.inf
11/16/2004 10:21 AM 252,704 WrapperOuter1154041108.EXE
3 File(s) 325,372 bytes

Directory of C:\WINDOWS\Downloaded Program Files\CONFLICT.7

11/30/2004 06:53 PM .
11/30/2004 06:53 PM ..
09/27/2004 09:58 AM 71,800 HDPlugin1019.dll
09/27/2004 09:58 AM 868 HDPlugin1019.inf
11/16/2004 10:21 AM 252,704 WrapperOuter1154041108.EXE
3 File(s) 325,372 bytes

Directory of C:\WINDOWS\Downloaded Program Files\CONFLICT.8

11/18/2004 06:15 PM .
11/18/2004 06:15 PM ..
11/16/2004 10:21 AM  252,704 WrapperOuter1154041108.EXE
1 File(s) 252,704 bytes

Directory of C:\WINDOWS\Downloaded Program Files\CONFLICT.9

11/20/2004 08:20 PM .
11/20/2004 08:20 PM ..
11/16/2004 10:21 AM 252,704 WrapperOuter1154041108.EXE
1 File(s) 252,704 bytes

Total Files Listed:
79 File(s) 9,536,171 bytes
35 Dir(s) 22,881,738,752 bytes free


----------



## Mosaic1 (Aug 17, 2001)

Give me a few minutes. It's loaded with junk. I do not think HijackThis showed it all. 

Can I see a new HT log please? 

Also, can you create a copy of the Downloaded Program Files, right click on that copy and choose Send To Compressed. Then email that compressed file at
Katie_3232 @hotmail.com

Remove the Space in the email address for it too work.

I am tired and want to triple check to be sure I give you good and complete advice. Seeing the files will hep me to do that.


----------



## Roe727 (Mar 9, 2004)

Here's the Log: Where do I find the Downloaded Program Files???

Logfile of HijackThis v1.99.0
Scan saved at 5:11:30 PM, on 2/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\AOL COMPANION\COMPANION.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Susan Zweig\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-6.0.1.20/squelchies/squelchies-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet/peaks/peaks-ob-assets.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr_ext.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


----------



## Mosaic1 (Aug 17, 2001)

In the Windows Folder:
C:\WINDOWS\Downloaded Program Files


----------



## Roe727 (Mar 9, 2004)

She is not using McAfee anymore either, so we should probably get rid of anything that has to do with it as well.


----------



## Mosaic1 (Aug 17, 2001)

The log looks clean. But you definitely have files hiding from us in the downloaded Program Files folder and HT is not picking them up. After I see everything, I'll give you directions on clearing them out.


----------



## Roe727 (Mar 9, 2004)

I'm trying but it doesn't seem to be attaching. First I zipped it and then I couldn't find it....ahhhh....but when I searched it said it was in the windows file, but only the regular one was there, not the zipped one....nothing has been easy with this computer. But....I'll make it..I'm going to keep trying.


----------



## Mosaic1 (Aug 17, 2001)

It may be too big. If you open Outlook Express you can drag and drop the zip into the body of the email and it will attach.


----------



## Roe727 (Mar 9, 2004)

Katie she doesn't have outlook express set up....I can't get this file to you...


----------



## Mosaic1 (Aug 17, 2001)

Ok I don't know why I had you make a copy of the folder and then zip it. You can right click on Downloaded Program files and Choose Send to Compressed.

Use this trick to then find the zip:

Go to start >Run and paste in this to open an explorer window with the zip highlighted in the right pane:
*Explorer.exe /n,/e,/select, C:\windows\Downloaded Program Files.zip*


----------



## Mosaic1 (Aug 17, 2001)

Is there any Email there at all? Otherwise Maybe attach here and after I get it, immediately you can remove the attachment. It will contain nasties.


----------



## Roe727 (Mar 9, 2004)

I zipped it and found it, but it won't attach to the e-mail or this log.


----------



## Roe727 (Mar 9, 2004)

When I try to upload it here I get an IE error that the page can't be displayed.


----------



## Mosaic1 (Aug 17, 2001)

Give me a minute. I have another place for you to upload but need to get the directions.


----------



## Roe727 (Mar 9, 2004)

If I'm not done here soon, I'm going to have to wait until tomorrow Katie. I have to go out soon.


----------



## Mosaic1 (Aug 17, 2001)

Go to this forum and register.
http://www.thespykiller.co.uk/forum/index.php

This is a shortcut to the Uploads Category. Start a new post there and explin I asked for this and we can't use email or attach elsewhere. then upload the zip. Let me know and I'll go over and get it. You will not be able to see the attachment, but I will.
http://www.thespykiller.co.uk/forum/index.php?board=1.0

Thanks. I am too tired to guess at the structure in that folder and want to be sure I do this right.


----------



## Roe727 (Mar 9, 2004)

Katie I'mm trying to post, can you check on it. It seems to be sitting....we might have to finish this tomorrow. I have about another half hour then I have to leave.


----------



## Mosaic1 (Aug 17, 2001)

No Problem. It may be too large.

Have a read and see:
http://www.thespykiller.co.uk/forum/index.php?topic=5.0


----------



## Roe727 (Mar 9, 2004)

It doesn't seem to want to go.


----------



## Roe727 (Mar 9, 2004)

7.21mb


----------



## Roe727 (Mar 9, 2004)

I'm trying it one more time.


----------



## Roe727 (Mar 9, 2004)

Doesn't seem to be working. Any other ideas?


----------



## Mosaic1 (Aug 17, 2001)

That's huge . Go to Downloaded Program files and tell me what you see.


----------



## Mosaic1 (Aug 17, 2001)

I'll be able to write a batch to remove the junk. Let's call it a day after this one.


----------



## Roe727 (Mar 9, 2004)

This is what is in there:
{4ED9DDFO-7479-4BBE-9335-5A1EDB1D8A21} Unknown 4KB
{BCCOFF27-31D9-4614-a68e-c18e1ada4389} Unknown 4 KB
ActiveScan Install Class Installed 112 KB 
Downloader Class Installed 120 KB
ExentInf Class Installed 116 KB
HouseCall Control Installed 780 KB
QDiagAOLCCUpdateObj Class Installed 1,328 KB 
QuickTime Object Installed 4KB
Shockwave Flash Object Installed 4KB
Squelchies by pogo Installed 2,360 KB
Tri-Peaks by pogo Installed 1,496

Yes I'm going to need to call it a night. What time will you be around tomorrow?
BTW...you have the patience of a saint.


----------



## Roe727 (Mar 9, 2004)

Do you think I should defrag tonight?


----------



## Mosaic1 (Aug 17, 2001)

I'll be around after lunch time I think. LOL


Thanks for the compliment. After a break, I'll be better able to help.

I haven't been too effective today.


----------



## Roe727 (Mar 9, 2004)

Thank you and have a great night and I'll see you tomorrow afternoon. Thanks for everything.


----------



## Mosaic1 (Aug 17, 2001)

A defrag would be a good idea.


----------



## ~Candy~ (Jan 27, 2001)

I'll be traveling tomorrow kiddies, so I'll miss all the rest of your fun. You've done a great job (both of you) hanging in there on this one! I await the final outcome when I check back on Sunday!!!


----------



## Mosaic1 (Aug 17, 2001)

Have a good trip, Candy.

Roe,

If we delete the wrong file it is not a disaster. If needed by a Web Page and missing, they will be prompted to download again.

I have uploaded a zip containing a batch. Extract the batch file and run it. It will delete a lot of those files from Downloaded Program Files.

The batch is named:
*Clean up DPF.bat*

After it has fnished running, run *DPF.bat* (The file you ran earlier to get the contents of Downloaded Program Files) again and post the contents of the text file it will open.

We can finish by unregistering the occache.dll file and going into Downloaded Program files. It will look different and I can get a copy of whichever files left which we may need to look at. Then you can register occache.dll again and the folder will be back to normal. I'll go into how to do that tomorrow.

Katie


----------



## Roe727 (Mar 9, 2004)

Ok, I ran Clean up DPF.bat and then ran DPF. bat and here are the results:

Volume in drive C has no label.
Volume Serial Number is 1833-DDD3

Directory of C:\WINDOWS\Downloaded Program Files

02/12/2005 07:23 AM .
02/12/2005 07:23 AM ..
01/26/2005 04:03 PM 110,592 asinst.dll
01/27/2005 09:09 AM 525 asinst.inf
02/12/2005 07:23 AM CONFLICT.1
02/12/2005 07:23 AM CONFLICT.10
02/12/2005 07:23 AM CONFLICT.11
02/12/2005 07:23 AM CONFLICT.2
02/12/2005 07:23 AM CONFLICT.3
02/12/2005 07:23 AM CONFLICT.4
02/12/2005 07:23 AM CONFLICT.5
02/12/2005 07:23 AM CONFLICT.6
02/12/2005 07:23 AM CONFLICT.7
02/12/2005 07:23 AM CONFLICT.8
02/12/2005 07:23 AM CONFLICT.9
09/03/2002 09:57 AM 65 DESKTOP.INI
10/14/1997 07:52 PM 697 DirectAnimation Java Classes.osd
11/11/2003 01:45 PM 2,252 dm.inf
02/12/2005 07:25 AM 0 DPF.txt
11/22/2004 10:22 PM 116,184 dwnldr.dll
11/22/2004 10:18 PM 301 dwnldr.inf
10/12/2003 05:34 PM 115,848 exentctl_0_0_0_1.ocx
09/15/2003 06:49 PM 388 imbum.inf
06/18/2003 05:01 PM 691 McGDMgr.inf
02/20/2003 12:04 PM 678 mcinsctl.inf
01/20/2000 02:25 PM 1,162 Microsoft XML Parser for Java.osd
08/18/2004 01:57 PM 1,088 qdiagcc.inf
09/13/2002 09:56 AM 144 QTPlugin.inf
10/25/2004 04:05 AM 4,390 Squelchies by pogo.osd
12/08/2003 12:58 PM 3,759 swflash.inf
03/23/2004 02:43 AM 4,151 Tri-Peaks by pogo.osd
02/04/2004 02:17 PM 185 WUInst.inf
03/24/2004 06:17 PM 1,777 xscan.inf
03/24/2004 05:22 PM 435,712 xscan53.ocx
21 File(s) 800,589 bytes

Directory of C:\WINDOWS\Downloaded Program Files\CONFLICT.1

02/12/2005 07:23 AM .
02/12/2005 07:23 AM ..
09/27/2004 08:58 AM 71,800 HDPlugin1019.dll
1 File(s) 71,800 bytes

Directory of C:\WINDOWS\Downloaded Program Files\CONFLICT.10

02/12/2005 07:23 AM .
02/12/2005 07:23 AM ..
0 File(s) 0 bytes

Directory of C:\WINDOWS\Downloaded Program Files\CONFLICT.11

02/12/2005 07:23 AM .
02/12/2005 07:23 AM ..
0 File(s) 0 bytes

Directory of C:\WINDOWS\Downloaded Program Files\CONFLICT.2

02/12/2005 07:23 AM .
02/12/2005 07:23 AM ..
09/27/2004 09:58 AM 71,800 HDPlugin1019.dll
09/27/2004 09:58 AM 868 HDPlugin1019.inf
2 File(s) 72,668 bytes

Directory of C:\WINDOWS\Downloaded Program Files\CONFLICT.3

02/12/2005 07:23 AM .
02/12/2005 07:23 AM ..
09/27/2004 09:58 AM 71,800 HDPlugin1019.dll
09/27/2004 09:58 AM 868 HDPlugin1019.inf
2 File(s) 72,668 bytes

Directory of C:\WINDOWS\Downloaded Program Files\CONFLICT.4

02/12/2005 07:23 AM .
02/12/2005 07:23 AM ..
09/27/2004 09:58 AM 71,800 HDPlugin1019.dll
1 File(s) 71,800 bytes

Directory of C:\WINDOWS\Downloaded Program Files\CONFLICT.5

02/12/2005 07:23 AM .
02/12/2005 07:23 AM ..
09/27/2004 09:58 AM 71,800 HDPlugin1019.dll
09/27/2004 09:58 AM 868 HDPlugin1019.inf
2 File(s) 72,668 bytes

Directory of C:\WINDOWS\Downloaded Program Files\CONFLICT.6

02/12/2005 07:23 AM .
02/12/2005 07:23 AM ..
09/27/2004 09:58 AM 71,800 HDPlugin1019.dll
09/27/2004 09:58 AM 868 HDPlugin1019.inf
2 File(s) 72,668 bytes

Directory of C:\WINDOWS\Downloaded Program Files\CONFLICT.7

02/12/2005 07:23 AM .
02/12/2005 07:23 AM ..
09/27/2004 09:58 AM 71,800 HDPlugin1019.dll
09/27/2004 09:58 AM 868 HDPlugin1019.inf
2 File(s) 72,668 bytes

Directory of C:\WINDOWS\Downloaded Program Files\CONFLICT.8

02/12/2005 07:23 AM .
02/12/2005 07:23 AM ..
0 File(s) 0 bytes

Directory of C:\WINDOWS\Downloaded Program Files\CONFLICT.9

02/12/2005 07:23 AM .
02/12/2005 07:23 AM ..
0 File(s) 0 bytes

Total Files Listed:
33 File(s) 1,307,529 bytes
35 Dir(s) 22,939,549,696 bytes free

See ya soon.


----------



## Mosaic1 (Aug 17, 2001)

Now we can make the Downloaded Prgrams Folder more accessible and have a look at a few I was not sure about.

If you go to Start>Run and paste in this command and then press enter:
*regsvr32 /u occache.dll*

now when you open C:\Windows\Downloaded Program Files
the view will be very different.

I am puzzled because there are multiple instances of some legitimate files. But we'll leave those alone.

Let's first delete any of those Conflict Folders which are empty. 
C:\WINDOWS\Downloaded Program Files\CONFLICT.10
C:\WINDOWS\Downloaded Program Files\CONFLICT.11
C:\WINDOWS\Downloaded Program Files\CONFLICT.8
C:\WINDOWS\Downloaded Program Files\CONFLICT.9

I think some of these can go too. I'd like to have a look first, though.
Can you create a new folder elsewhere, not in Downloaded Program files, and make copies of these files please?
asinst.dll
asinst.inf
dm.inf
dwnldr.dll
dwnldr.inf
exentctl_0_0_0_1.ocx
imbum.inf
McGDMgr.inf
mcinsctl.inf

Right click on that folder and choose send to >Compressed.

Then attach it to an email and send.

The last step is to register that dll again.

Close the Downloaded Programs Folder.

Go to Start>Run 
Paste in this command and then press enter:

*regsvr32 occache.dll*


----------



## Roe727 (Mar 9, 2004)

Good afternoon!! I ran those commands and copied those files so it should be there shortly. I fyou don't get it, let me know and I'll attach it here and unattach it after you view it. I defragged the computer. It is running pretty good. Sometimes I still think it is a bit slow, but compared to how it WAS running, it is running alot better. I got a weird message though this morning when I tried to boot in safe mode to defrag, saying "keyboard failure", I 'm not sure what that was about. I actually switch up the keyboard and tried again and got the same thing and then on the third try it booted in safe mode. Anyway, let me know what you think of those files. I'll be here.


----------



## Mosaic1 (Aug 17, 2001)

I checked my email ands nothing is there. Go ahead and upload and then remove once I get the files. Thanks. But you don't get a keyboard failure message in normal Windows mode? And this just started?


----------



## Mosaic1 (Aug 17, 2001)

When you reboot to go into Safe Mode and press the F8 key, are you waiting for the Dell Logo to come up first?


----------



## Roe727 (Mar 9, 2004)

Nope....weird, but maybe because I'm holding down the F8 key?? I know it shouldn't and it wasn't happening before when I was starting it in safe mode. Here's the file, let me know when to delete it.


----------



## Roe727 (Mar 9, 2004)

To be honest, I'm not sure. BUt I think so, because I think if you hold it down before that it just makes a clicking sound. I'll try it again later and if there is a problem, I'll pick your brains on it again.


----------



## Mosaic1 (Aug 17, 2001)

The computer has had a lot of moving and shaking. Literally too. It was moved from one house to another. If there is a problem with the hardware, it will eventually show up in regular Windows mode as well. 

Let's try something. Go To Msconfig and click the Boot.ini tab.


Be careful here or Widows won't boot. Do only what I ask.

Under Boot options, select /SAFEBOOT

The minimal optoins will autumatically be selected. Keep that as it is.

Restart and Windows should automatically boot into Safe Mode. See if you get the error.

Once in Safe Mode go back to msconfig>Boot.ini

Uncheck /SAFEBOOT

Restart into regular Windows. 

EDIT: I have the files. Go ahead and remove the attachment.


----------



## Roe727 (Mar 9, 2004)

The files are attached in post 282.


----------



## Roe727 (Mar 9, 2004)

I did as you instructed and go no error message, so I'm just going to wait and IF it should happen again I will let you know.


----------



## Roe727 (Mar 9, 2004)

BTW....This computer will be having Verizon DSL put on it on next weekend and AOL 9.0 uninstalled.


----------



## Roe727 (Mar 9, 2004)

Katie did you get the zip file in post 282?


----------



## Mosaic1 (Aug 17, 2001)

Hi,

Nice. DSL will be a big imporvement for them.

Yes I did. I had to do a few things. Sorry.

Let's unregister again:

Start>Run 
regsvr32 /u occache.dll

Press enter.

exentctl_0_0_0_1.ocx

http://www.exent.com/index.asp

This is where the AOD folder you asked about came from.

This is for games. If you remove it and they want to use it they will be prompted to download again. I am not sure if the games are good or bad. LOL That would take more research. Go ahead and delete the file.

dm.inf Comet Installer. Spyware.----- Delete
Panda Scan installer. If you go back for scan they will download as needed.
asinst.dll
asinst.inf

imbum.inf -- delete

Then close up and regsiter again.

regsvr32 occache.dll


----------



## Roe727 (Mar 9, 2004)

Do you want me to delete PandaScan Installer, asinst.dll and asinst.inf?


----------



## Mosaic1 (Aug 17, 2001)

Yes. If you go back there it will reinstall. That's the beauty of the Downloaded Programs folder. Deleting won't really hurt.


After you do that and have registered again reopen the folder. Right click on any items and if they say damaged, then delete those too.


----------



## Roe727 (Mar 9, 2004)

I did that ... the only one that said damaged was the ActiveScan Installer Class.


----------



## Mosaic1 (Aug 17, 2001)

Good. That's to be expected since we deleted its files. So it can go out the door too. Do you have any other questions? I think the DPF was the last piece to clean.


----------



## Mosaic1 (Aug 17, 2001)

If everything is working ok, go ahead and flush the restore points once more and then create a new one.


----------



## Mosaic1 (Aug 17, 2001)

I'll be leaving at 3:30 and won't be back until after dinner time or later, if at all. It depends on how things go here.


----------



## Roe727 (Mar 9, 2004)

I flushed the restore points again. I think it is running well. One last hijackthis log:

Logfile of HijackThis v1.99.0
Scan saved at 3:15:28 PM, on 2/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Susan Zweig\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-6.0.1.20/squelchies/squelchies-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet/peaks/peaks-ob-assets.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr_ext.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


----------



## Roe727 (Mar 9, 2004)

Can I fix anything here that says mcafee since she isn't even using it anymore?


----------



## Mosaic1 (Aug 17, 2001)

Yes. You may as well ties up loose ends.

These can be fixed too:
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared...72/mcinsctl.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download....ctl_0_0_0_1.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/s...,19/mcgdmgr.cab

It looks great. Remember to be careful when you move the computer so you don't jostle anything.

If you look near the top of the topic, you'll see an arrow Thread Tools. You can mark this one Solved if you like.


----------



## Roe727 (Mar 9, 2004)

Sounds good. I can't believe it is finally finished. Thank you for all your hard work I really appreciate it.


----------



## Mosaic1 (Aug 17, 2001)

Roe,

You're very welcome. I admit to going the long way around because of the multiple issues, but we got there. Cleaning a computer by hand is not fun. Your friends are lucky you did this. 


Take care and if there are any problems, post back.

Katie


----------



## ~Candy~ (Jan 27, 2001)

Congrats to both of you! Love good news and threads marked solved


----------

