1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Help with ridding searchxl

Discussion in 'Virus & Other Malware Removal' started by goskins, Oct 19, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. goskins

    goskins Thread Starter

    Joined:
    Oct 19, 2003
    Messages:
    29
    Just got rid of searchv, found that I've got searchxl on my computer, too. I've tried to use HT to erase searchxl, but it keeps coming back. Searchv hasn't come back (yet). I'll post my HT log - wanted to know if I got rid of searchv completely and how to get rid of searchxl. Also, if I've got anything else suspicious lurking - my computer seems to be working more slowly than usual. Thanks very, very much in advance.

    Logfile of HijackThis v1.97.3
    Scan saved at 8:56:07 PM, on 10/19/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\svchost.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\WINDOWS\system32\drivers\dcfssvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\GWMDMMSG.exe
    C:\WINDOWS\mHotkey.exe
    C:\PROGRA~1\VOB\INSTAN~1\IWCTRL.EXE
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Media\Media\UpdateStats.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\IEDriver\IEDriver.exe
    C:\WINDOWS\uptodate.exe
    C:\WINDOWS\rundll16.exe
    C:\Program Files\BestBuy\HelpExpress\HXDL.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\ESPN\BottomLine\bline.exe
    C:\windows\winlogon.exe
    C:\WINDOWS\iedll.exe
    C:\Documents and Settings\Mike Branham\Application Data\epms.exe
    C:\WINDOWS\System32\winservn.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\WINDOWS\System32\Yly3.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\WINDOWS\System32\KsbsD3.exe
    C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\systray.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\BellSouth\Connection Manager\CManager.exe
    C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Bargain Buddy\bin2\bargains.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Mike Branham\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.searchxl.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.searchxl.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\sb.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchxl.com/ie/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchxl.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchxl.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie-search.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchxl.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bellsouth.net/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://support.fastaccess.com/launch.asp
    O1 - Hosts: 216.177.73.139 auto.search.msn.com
    O1 - Hosts: 66.197.100.83 sitefinder.verisign.com
    O1 - Hosts: 216.177.73.139 search.netscape.com
    O1 - Hosts: 216.177.73.139 ieautosearch
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab29b} - C:\Program Files\Srng\SNHelper.dll
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL
    O2 - BHO: (no name) - {55BCFD4A-A887-4E9F-AF01-77C67199BE80} - C:\WINDOWS\System32\dmuloader.dll
    O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL
    O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll
    O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\bin2\apuc.dll
    O2 - BHO: (no name) - {f760cb9e-c60f-4a89-890e-fae8b849493e} - C:\WINDOWS\madise.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll (file missing)
    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
    O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\VOB\INSTAN~1\IWCTRL.EXE
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [spp] regedit -s C:\sp.reg
    O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set -- by windows setup --
    O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
    O4 - HKLM\..\Run: [[email protected]] C:\WINDOWS\System32\Lnu4N.exe
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
    O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IEDriver.exe
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
    O4 - HKLM\..\Run: [msbb] C:\Program Files\n-CASE\msbb.exe
    O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
    O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
    O4 - HKLM\..\Run: [Srng] \Program Files\Srng\Srng.exe
    O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\BestBuy\HelpExpress\HXDL.EXE -from="HXIUL.EXE" -to="HXIUL.EXE" -run
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
    O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
    O4 - HKCU\..\Run: [iedll] c:\WINDOWS\iedll.exe
    O4 - HKCU\..\Run: [loader] c:\WINDOWS\loader.exe
    O4 - HKCU\..\Run: [Snlu] C:\Documents and Settings\Mike Branham\Application Data\epms.exe
    O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\System32\winservn.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
    O4 - Global Startup: APC UPS Status.lnk = ?
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O4 - Global Startup: officejet 6100.lnk = ?
    O8 - Extra context menu item: Web Search - c:\windows\ex.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
    O15 - Trusted Zone: *.pluginaccess.com
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} - http://www.spyblast.com/download/SBFull.cab
    O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} (IRDIXAObj Class) -
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    goskins

    Welcome to TSG!

    Click on the link below and it will download CWShredder. Close all browser windows. UnZip it and click on the cwshredder.exe and let it do it's thing.

    http://www.spychecker.com/download/download_cwshredder.html

    When it is finished restart your computer.

    Go here http://www.lavasoftusa.com/software/adaware/ and download Adaware 6

    Install the program and launch it.

    I strongly recommend that you read the help file to familiarize yourself with the program.

    Before running the scan look at the top of the main window and you will see a Gear Icon. This is where you configure the settings. Click on that and then in the next window that pops up click on the "Scanning" tab on the left side. Under "Drives and Folders" put a check by "Scan within archives" and below that under "Memory and Registry" put a check by all the options there.
    The click on the "Tweak" tab and under "Scanning engine" put a check by "Unload recognized processes during scanning" ...........then......under "Cleaning engine" put a ckeck by "Let windows remove files in use at next reboot" then click "Proceed"

    Next in the main window look in the bottom right corner and click on "Check for updates now" and get the latest referencefiles.
    After getting the latest referencefiles you are ready to scan.

    Click "Start" and in the next window make sure "Active in depth scanning" is checked then click "Next" and the scan will begin.

    When it is finished let it fix everything it finds.

    Restart your computer.

    Then go here http://spybot.eon.net.au/index.php?lang=en&page=download and download Spybot.

    Install the program and launch it.

    Before scanning press "Online" and "Search for Updates" .

    Put a check mark at and install all updates.

    Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds.

    Restart your computer.

    Be sure and take advantage of the "Immunize" feature in Spybot.

    Finally go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how this happens and how to help prevent future attacks.
    On this page you will find links to Javacool's SpywareBlaster and SpywareGuard. Get them both and check for updates frequently.
    The Immunize feature in Spybot used in conjunction with SpywareBlaster , SpywareGuard and weekly scans with Spybot and Adaware will go a long way toward keeping your PC free of these pests..

    Important!: ALWAYS check for updated detections and referencefiles before scanning with Spybot and Adaware. And be sure to check for updates to SpywareBlaster and SpywareGuard on a weekly basis.

    After all that come back here and post another log and we'll get rid of what's left.
     
  3. goskins

    goskins Thread Starter

    Joined:
    Oct 19, 2003
    Messages:
    29
    Thanks very much, flrman1! Computer speed seems to be normal again, and searchxl seems to be gone from my IE toolbar. One question, though - when I reboot, a window pops up that is labeled C:WINDOWS\System32\cmd.exe or something close to that. It has been popping up since my trouble started, but I don't remember it before that. Should I be concerned? I'll post my HT log below. Again, thanks very much in advance!!!

    Logfile of HijackThis v1.97.3
    Scan saved at 8:53:28 AM, on 10/20/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\GWMDMMSG.exe
    C:\WINDOWS\mHotkey.exe
    C:\PROGRA~1\VOB\INSTAN~1\IWCTRL.EXE
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\ESPN\BottomLine\bline.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\WINDOWS\system32\drivers\dcfssvc.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\systray.exe
    C:\Program Files\BellSouth\Connection Manager\CManager.exe
    C:\WINDOWS\System32\Yly3.exe
    C:\WINDOWS\System32\Yly3.exe
    C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Documents and Settings\Mike Branham\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bellsouth.net/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://support.fastaccess.com/launch.asp
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 66.197.100.83 auto.search.msn.com
    O1 - Hosts: 66.197.100.83 sitefinder.verisign.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
    O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\VOB\INSTAN~1\IWCTRL.EXE
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set -- by windows setup --
    O4 - HKLM\..\Run: [[email protected]] C:\WINDOWS\System32\PikPVfD1.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
    O4 - Global Startup: APC UPS Status.lnk = ?
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: officejet 6100.lnk = ?
    O8 - Extra context menu item: Web Search - c:\windows\ex.htm
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37914.210625
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
     
  4. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
  5. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    goskins

    Please in the future post back to the original thread. It makes it much easier for everyone to keep up with what has been done as all of us here wish to learn from our experieces here.

    I have asked the mods to merge this thread with your original thread.

    I must have missed it the first time but it looks to me like you have the peper.a trojan which is quite difficult to remove.

    I am going to suggest a program to remove it but first I'm going to look through your log and get rid of some of the other malware/clutter first.

    Give me a few minutes.

    Edit: I see $teve has already suggested what I was going to so go ahead and do that first and we'll get rid of the others afterwards.
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    As an added suggestion personally I think it is best to run TDS-3 in safe mode.
     
  7. goskins

    goskins Thread Starter

    Joined:
    Oct 19, 2003
    Messages:
    29
    I'm back guys! Sorry for the confusion about the postings. I ran TDS3 and it identified one problem:

    Scan Control Dumped @ 08:12:08 21-10-03
    (DELETED) Positive identification: TrojanDownloader.Win32.AdGoblin
    File: c:\documents and settings\mike branham\local settings\temp\iic3c.exe

    As it says, I did delete it - hope that was OK. Here's my latest HT log. Again, thanks very much for all your help!

    Logfile of HijackThis v1.97.3
    Scan saved at 8:13:49 AM, on 10/21/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\GWMDMMSG.exe
    C:\WINDOWS\mHotkey.exe
    C:\PROGRA~1\VOB\INSTAN~1\IWCTRL.EXE
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\ESPN\BottomLine\bline.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\WINDOWS\system32\drivers\dcfssvc.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\BellSouth\Connection Manager\CManager.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\systray.exe
    C:\WINDOWS\System32\MuqaZ.exe
    C:\WINDOWS\System32\Bin9fP78.exe
    C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Mike Branham\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bellsouth.net/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://support.fastaccess.com/launch.asp
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 66.197.100.83 auto.search.msn.com
    O1 - Hosts: 66.197.100.83 sitefinder.verisign.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
    O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\VOB\INSTAN~1\IWCTRL.EXE
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set -- by windows setup --
    O4 - HKLM\..\Run: [[email protected]] C:\WINDOWS\System32\PikPVfD1.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
    O4 - Global Startup: APC UPS Status.lnk = ?
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: officejet 6100.lnk = ?
    O8 - Extra context menu item: Web Search - c:\windows\ex.htm
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37914.210625
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    goskins

    You still have the peper.a trojan.

    Let's get rid of some of the other malware and then update TDS-3 again (new detections are released daily) and run it agin in safe mode.

    Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

    R3 - Default URLSearchHook is missing

    O1 - Hosts: 66.197.100.83 auto.search.msn.com
    O1 - Hosts: 66.197.100.83 sitefinder.verisign.com

    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray

    O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -

    Restart.

    Go here http://tds.diamondcs.com.au/index.php?page=update
    and do the manual update again and get the detection update released today.

    Right click on the radius.td3 file and choose "Save target as". Then in the "Save in" box browse to the C:\Program Files\TDS3 folder (provided that is the location of your TDS-3 directory)and save it there. A prompt will appear telling you that there is already a radius.td3 file there "do you want to overwrite it" click Yes.

    Run the "full System scan" again preferably in safe mode.

    Note: Temporarily disable your Antivirus program.

    When the scan is finished in TDS-3 click on the "TDS" tab in the upper left corner then click "View Logfile". Open the logfile of the scan you just completed and copy and paste it back here along with an updated Hijack This log.
     
  9. goskins

    goskins Thread Starter

    Joined:
    Oct 19, 2003
    Messages:
    29
    Hey guys,
    I did as you suggested. The only thing I didn't do was disable my antivirus program - I wasn't sure how to do so. I run Windows XP (I think the antivirus program is built in), and I didn't want to cause more problems. If this is necessary, let me know how to disable, and I will go through the same steps above. Anyway, I did run TDS and HT and here are the logs. As always, thanks very much!

    15:16:53 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
    15:16:53 [Init] Started 21-10-03 15:16:53 Eastern Standard Time (UTC: 5), Internet Time @845.06
    15:16:53 [Init] Loading TDS-3 Systems ...
    15:16:53 [Init] Token successfully adjusted.
    15:16:53 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
    15:16:53 [Init] • Plugins : OK. Loaded 13
    15:16:54 [Init] • Exec Protection : Not Installed
    15:16:54 [Init] WARNING: Your Radius.TD3 database needs to be updated!
    15:16:54 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
    15:16:54 [Init] Licensed users can use the Update facility from the TDS menu
    15:16:54 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
    15:16:56 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
    15:16:56 [Init] • Systems Initialised [28987 references - 9918 primaries/8255 traces/10814 variants/other]
    15:16:57 [Init] Radius Systems loaded. <Databases updated 21-10-2003>
    15:16:57 [Init] TDS-3 Ready. <Mike [email protected] - United States>
    15:16:57 [Tip Of The Day] The latest portref.txt file can be downloaded at http://tds.diamondcs.com.au/portref.txt We will update this file every few weeks as new default trojan ports are added.
    15:16:57 [Init] NOTICE A change has been detected in the autostart registry. Press Ctrl+A to view the autostart registry
    15:16:57 [TDS] Good afternoon Mike branham.
    15:16:58 [Mutex Memory Scan] Started...
    15:16:59 [Mutex Memory Scan] Finished (no trojan mutexes found).
    15:16:59 [Trace Scan] Started...
    15:17:07 [CRC32] Started - verifying 29 files ...
    15:17:13 [CRC32] Test finished.
    15:17:27 [Memory Scan] Memory scan started, please wait a moment ...
    15:17:27 [Memory Scan] Memory scan complete.
    15:17:27 [Mutex Memory Scan] Started...
    15:17:29 [Mutex Memory Scan] Finished (no trojan mutexes found).
    15:17:29 [Trace Scan] Started...
    15:17:32 [Trace Scan] Finished.
    15:17:32 [Service\Driver Scan] Scanning for services and drivers ...
    15:17:34 [Service\Driver Scan] Scanned 299 services and drivers.
    15:17:34 [File Scan] Scanning in A:\ ...
    15:17:35 [File Scan] Scanned 0 files: 0 alarms in 1.03125 seconds (Avg 1. files/sec)
    15:17:35 [File Scan] Scanning in C:\ ...
    15:33:21 [File Scan] Scanned 53119 files: 0 alarms in 946.2813 seconds (Avg 57.13 files/sec)
    15:33:21 [File Scan] Scanning in D:\ ...
    15:33:21 [File Scan] Scanned 0 files: 0 alarms in 0 seconds (Avg -1.#IND files/sec)
    15:33:21 [File Scan] Scanning in E:\ ...
    15:33:21 [File Scan] Scanned 0 files: 0 alarms in 0 seconds (Avg -1.#IND files/sec)
    15:33:21 [Scan] Finished.
    15:33:23 [Trace Scan] Finished.
    15:33:23 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
    15:36:47 [Quit] Unloading ...

    Logfile of HijackThis v1.97.3
    Scan saved at 3:38:37 PM, on 10/21/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\GWMDMMSG.exe
    C:\WINDOWS\mHotkey.exe
    C:\PROGRA~1\VOB\INSTAN~1\IWCTRL.EXE
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\ESPN\BottomLine\bline.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\WINDOWS\system32\drivers\dcfssvc.exe
    C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\BellSouth\Connection Manager\CManager.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\systray.exe
    C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
    C:\WINDOWS\System32\MuqaZ.exe
    C:\WINDOWS\System32\KsbsD3.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\PROGRA~1\BROADJ~1\CLIENT~1\CFD.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Documents and Settings\Mike Branham\Local Settings\Temp\Temporary Directory 8 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bellsouth.net/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://support.fastaccess.com/launch.asp
    O1 - Hosts: 66.197.100.83 auto.search.msn.com
    O1 - Hosts: 66.197.100.83 sitefinder.verisign.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
    O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\VOB\INSTAN~1\IWCTRL.EXE
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set -- by windows setup --
    O4 - HKLM\..\Run: [[email protected]] C:\WINDOWS\System32\Lnu4N.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
    O4 - Global Startup: APC UPS Status.lnk = ?
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: officejet 6100.lnk = ?
    O8 - Extra context menu item: Web Search - c:\windows\ex.htm
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37914.210625
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Sorry to keep you waiting goskins but I am trying to figure out what the best move is. TDS3 was detecting and removing this b#*#%^@d a couple of days ago but it looks like the trojan authors have changed it's signature and TDS3 isn't up to speed.

    There is one other program that has been effective getting rid of peper.a. Right now I have another thread going and the guy is in the process of giving it a try. Once I have seen the results from his efforts with NOD32 I'll get back to you. I don't want to waste your time having you install another program if it isn't going to work either.

    If you're not too anxious I would appreciate it if you'd wait and see how it goes with him. Hopefully it will work for him and I'll recommend the same for you.

    Meanwhile you may want to check out this thread so you'll have a better idea of what we're dealing with here.

    http://forums.techguy.org/t171157/s.html
     
  11. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    goskins I think i may have found a solution. Let's try this:

    The files we are going to delete are hidden files so make sure that "Show hidden files and folders" is checked in Folder Options > View

    Download and install Regprot: http://www.diamondcs.com.au/index.php?page=regprot

    Have HijackThis Fix:

    O4 - HKLM\..\Run: [[email protected]] C:\WINDOWS\System32\Lnu4N.exe
    Note: The one constant in the above entry will be [[email protected]]. The file name may have changed.

    Regprot will alert you to new startup entries with the new file names while you are doing this. Deny them by clicking NO, but write down the filenames before clicking NO.

    Then boot into safe mode and navigate to C:\WINDOWS\System32 and delete
    the files whose names you wrote down plus these if you find them.

    Lnu4N.exe
    MuqaZ.exe
    KsbsD3.exe

    Boot back into Normal and run HijackThis again. Post the new log.

    Credit goes to mosaic1 for the obove procedure.
     
  12. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Any luck?
     
  13. goskins

    goskins Thread Starter

    Joined:
    Oct 19, 2003
    Messages:
    29
    Hey, flrman1. I've been unable to download regprot this morning. I'll keep trying and let you know what happens. Thanks for your help and your patience!
     
  14. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    No problem. :)

    FYI we were successful in removing this pest last night using this method so I know first hand it works.
     
  15. goskins

    goskins Thread Starter

    Joined:
    Oct 19, 2003
    Messages:
    29
    Good news! System seems to be completely back to normal. The window that was popping up at startup is no longer there. Also, system is performing all tasks at normal speed. Thanks very much.
    A few questions:
    (1) When I went into the SYS32 folder, all I found to delete was something called nwiz. Should there have been more to delete or is this normal? I had about 6 items written down when I ran regprot.
    (2) One of the reg items I removed concerned ESPN Bottomline, which I uninstalled after I rebooted. Is it possible that this was one source of my problems (i.e. should I not redownload/reinstall it)?
    (3) Finally, the font size seems to have decreased on my web pages. Was this possibly reset by one the intruders I had on my system? How do I reset it?

    Thanks again for all your help. It's nice to have my computer running normally again!
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/173196

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice