28 replies to this topic

[little eagle]

Try TrendMicro HouseCall

[nerdwanabe]

Sorry for the delay. Been a little hectic. ran house call and had it clean everything but it was unable to clean this one " TSPY_ALEMOD.A C:\WINDOWS\SYSTEM\WININET.DLL " Also I happened to enable the sounds for programs closimg and have found this happening quite abit at random times even when no one has been at the computer for quite some time. I don't know if this is normal or not?
Here is the new log

Logfile of HijackThis v1.99.1
Scan saved at 11:00:57 AM, on 02/23/2006
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\WILD FILE\GOBACK\GBPOLL.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMON32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPCLIENT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YT.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YT.DLL
O4 - HKLM\..\Run: [IntelliType] "c:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [$EnterNet] C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\EnterNet.exe -AutoStart
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Wild File\GoBack\GBPoll.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe" -quiet
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Startup: GoBack.lnk = C:\Program Files\Wild File\GoBack\GBMenu.exe
O4 - Startup: PrintMaster Event Reminder.lnk = C:\Program Files\Canon Creative\PrintMaster\Pmremind.exe
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - User Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - User Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - User Startup: GoBack.lnk = C:\Program Files\Wild File\GoBack\GBMenu.exe
O4 - User Startup: PrintMaster Event Reminder.lnk = C:\Program Files\Canon Creative\PrintMaster\Pmremind.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {00000000-7B59-11D3-BC98-005004131771} - http://www.videogate...iecompanion.exe
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = swbell.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,151.164.1.7,151.164.2.10

[little eagle]

Downloadsmitfraud Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES.

Download Ad-Aware SE
Check Here on how setup and use it - please make sure you update it first.
Use the: “Check for Updates Now” option and download the latest reference files
(Don't run it yet we will use it later)

Download CCleaner and install it. Close out the program when it has completed set up (Don't run it yet we will use it later )

Go to Add/Remove programs and remove the following SpySheriff if there

Next Reboot into SAFE MODE Make sure you can view all Hidden Files/Folders search for and delete the files highlighted in BOLD if found

C:\Windows\Desktop.html
C:\Program Files\SpySheriff <<< Delete Folder
C:\winstall.exe

Open CCleaner
To clean your machine, it is highly recommended that you clean the following directory contents (but not the directory folder):

Please run CCleaner to assist in this process.
(Setup: go to >options > settings > Uncheck "Only delete files in Windows Temp folders older than 48 hours" for cleaning malware files!)

* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <- This will delete all your cached internet content including cookies.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

Close out CCleaner.

Next

While still in safe mode

Open Ad-aware Scan your system, when complete have it fix all it finds,
Close out the program,

Reboot to normal mode, run another AV scan.
Post the smitfraud results here.
Let us know how your system is running now

Edited by little eagle, 23 February 2006 - 07:47 PM.

[nerdwanabe]

Next Reboot into SAFE MODE Make sure you can view all Hidden Files/Folders search for and delete the files highlighted in BOLD if found

C:\Windows\Desktop.html
C:\Program Files\SpySheriff <<< Delete Folder
C:\winstall.exe

Where would these files be located?
Or where should I be Looking for these.

[nerdwanabe]

OK I ran Everything. I looked for the files referenced in my last post by using "find" and found nothing so I opened "windows explorer" and did a visual search for them. I did not find any of them but I did find a folder named "psguard" which I deleted. Ran the ccleaner and cleaned everything it found. ran adaware and deleated all it found. someting i did not notice before in results is something called "alpacleaner"? rebooted and ran adaware again and deleted all it found again. still finding "alpacleaner" plus others. when I launch IE the hard drive sounds like it is franticly writting. the system locked up. reset. system still sounds like it is writting. do not know how to get smitfraud results. every time i click on it it asks about megeing files and does nothing else. system still writting franticly after 5 or so miniutes.

[nerdwanabe]

results from new adaware sweep Ad-Aware SE Build 1.06r1 Logfile Created on:Friday, February 24, 2006 10:16:22 AM Created with Ad-Aware SE Personal, free for private use. Using definitions file:SE1R93 22.02.2006 »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» References detected during the scan: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» AlfaCleaner(TAC index:10):1 total references Malware.Psguard(TAC index:7):5 total references MRU List(TAC index:0):1 total references »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Definition File: ========================= Definitions File Loaded: Reference Number : SE1R93 22.02.2006 Internal build : 106 File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\defs.ref File size : 619154 Bytes Total size : 1862054 Bytes Signature data size : 1827005 Bytes Reference data size : 34537 Bytes Signatures total : 51409 CSI Fingerprints total : 1621 CSI data size : 48886 Bytes Target categories : 15 Target families : 841 Memory + processor status: ========================== Number of processors : 1 Processor architecture : Intel Pentium III Memory available:69 % Total physical memory:325536 kb Available physical memory:191320 kb Total page file size:1771612 kb Available on page file:1771612 kb Total virtual memory:2093056 kb Available virtual memory:2040064 kb OS:Microsoft Windows 98 SE Ad-Aware SE Settings =========================== Set : Search for negligible risk entries Set : Safe mode (always request confirmation) Set : Scan active processes Set : Scan registry Set : Deep-scan registry Set : Scan my IE Favorites for banned URLs Set : Scan my Hosts file Extended Ad-Aware SE Settings =========================== Set : Unload recognized processes & modules during scan Set : Scan registry for all users instead of current user only Set : Always try to unload modules before deletion Set : Let Windows remove files in use at next reboot Set : Delete quarantined objects after restoring Set : Include basic Ad-Aware settings in log file Set : Include additional Ad-Aware settings in log file Set : Include reference summary in log file Set : Include alternate data stream details in log file Set : Play sound at scan completion if scan locates critical objects 02-24-2006 10:16:22 AM - Scan started. (Full System Scan) MRU List Object Recognized! Location: : software\microsoft\directdraw\mostrecentapplication Description : most recent application to use microsoft directdraw Listing running processes »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» #:1 [KERNEL32.DLL] FilePath : C:\WINDOWS\SYSTEM\ ProcessID : 4291761157 Threads : 4 Priority : High FileVersion : 4.10.2222 ProductVersion : 4.10.2222 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Win32 Kernel core component InternalName : KERNEL32 LegalCopyright : Copyright © Microsoft Corp. 1991-1999 OriginalFilename : KERNEL32.DLL #:2 [MSGSRV32.EXE] FilePath : C:\WINDOWS\SYSTEM\ ProcessID : 4294929757 Threads : 1 Priority : Normal FileVersion : 4.10.2222 ProductVersion : 4.10.2222 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Windows 32-bit VxD Message Server InternalName : MSGSRV32 LegalCopyright : Copyright © Microsoft Corp. 1992-1998 OriginalFilename : MSGSRV32.EXE #:3 [SPOOL32.EXE] FilePath : C:\WINDOWS\SYSTEM\ ProcessID : 4294923589 Threads : 3 Priority : Normal FileVersion : 4.10.1998 ProductVersion : 4.10.1998 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Spooler Sub System Process InternalName : spool32 LegalCopyright : Copyright © Microsoft Corp. 1994 - 1998 OriginalFilename : spool32.exe #:4 [MPREXE.EXE] FilePath : C:\WINDOWS\SYSTEM\ ProcessID : 4294919957 Threads : 2 Priority : Normal FileVersion : 4.10.1998 ProductVersion : 4.10.1998 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : WIN32 Network Interface Service Process InternalName : MPREXE LegalCopyright : Copyright © Microsoft Corp. 1993-1998 OriginalFilename : MPREXE.EXE #:5 [MSTASK.EXE] FilePath : C:\WINDOWS\SYSTEM\ ProcessID : 4290810145 Threads : 2 Priority : Normal FileVersion : 4.71.1972.1 ProductVersion : 4.71.1972.1 ProductName : Microsoft® Windows® Task Scheduler CompanyName : Microsoft Corporation FileDescription : Task Scheduler Engine InternalName : TaskScheduler LegalCopyright : Copyright © Microsoft Corp. 2000 OriginalFilename : mstask.exe #:6 [mmtask.tsk] FilePath : C:\WINDOWS\SYSTEM\ ProcessID : 4290802753 Threads : 1 Priority : Normal FileVersion : 4.03.1998 ProductVersion : 4.03.1998 ProductName : Microsoft Windows CompanyName : Microsoft Corporation FileDescription : Multimedia background task support module InternalName : mmtask.tsk LegalCopyright : Copyright © Microsoft Corp. 1991-1998 OriginalFilename : mmtask.tsk #:7 [EXPLORER.EXE] FilePath : C:\WINDOWS\ ProcessID : 4290804477 Threads : 4 Priority : Normal FileVersion : 4.72.3110.1 ProductVersion : 4.72.3110.1 ProductName : Microsoft® Windows NT® Operating System CompanyName : Microsoft Corporation FileDescription : Windows Explorer InternalName : explorer LegalCopyright : Copyright © Microsoft Corp. 1981-1997 OriginalFilename : EXPLORER.EXE #:8 [TYPE32.EXE] FilePath : C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\ ProcessID : 4290877097 Threads : 3 Priority : Normal #:9 [PELMICED.EXE] FilePath : C:\WINDOWS\SYSTEM\ ProcessID : 4290878221 Threads : 1 Priority : Normal FileVersion : 1, 0, 6, 6 ProductVersion : 1.0.0.0 ProductName : MouseSuite 98 CompanyName : Primax Electronics Ltd. FileDescription : Mouse Suite 98 Daemon InternalName : pelmiced.exe LegalCopyright : Copyright © 1997, Primax Electronics Ltd. LegalTrademarks : Primax Electronics Ltd. #:10 [YBRWICON.EXE] FilePath : C:\PROGRAM FILES\YAHOO!\BROWSER\ ProcessID : 4290874445 Threads : 2 Priority : Normal FileVersion : 2003, 7, 11, 1 ProductVersion : 1, 0, 0, 1 ProductName : Yahoo!, Inc. YBrwIcon CompanyName : Yahoo!, Inc. FileDescription : YBrwIcon InternalName : YBrwIcon LegalCopyright : Copyright © 2003 OriginalFilename : YBrwIcon.exe #:11 [IPMON32.EXE] FilePath : C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\ ProcessID : 4290894929 Threads : 5 Priority : Normal FileVersion : 5.5.33.226 ProductVersion : 5.5.33.226 ProductName : Visual IP InSight CompanyName : Visual Networks FileDescription : IP Monitor InternalName : IPMON32 LegalCopyright : Copyright © 1996-2001 Visual Networks Technologies, Inc. OriginalFilename : ipmon32.exe #:12 [SYSTRAY.EXE] FilePath : C:\WINDOWS\SYSTEM\ ProcessID : 4290850681 Threads : 2 Priority : Normal FileVersion : 4.10.2222 ProductVersion : 4.10.2222 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : System Tray Applet InternalName : SYSTRAY LegalCopyright : Copyright © Microsoft Corp. 1993-1998 OriginalFilename : SYSTRAY.EXE #:13 [ENTERNET.EXE] FilePath : C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ ProcessID : 4290864749 Threads : 1 Priority : Normal #:14 [TASKMON.EXE] FilePath : C:\WINDOWS\ ProcessID : 4290946541 Threads : 1 Priority : Normal FileVersion : 4.10.1998 ProductVersion : 4.10.1998 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Task Monitor InternalName : TaskMon LegalCopyright : Copyright © Microsoft Corp. 1998 OriginalFilename : TASKMON.EXE #:15 [QTTASK.EXE] FilePath : C:\WINDOWS\SYSTEM\ ProcessID : 4290943497 Threads : 1 Priority : Normal #:16 [YCOMMON.EXE] FilePath : C:\PROGRAM FILES\YAHOO!\BROWSER\ ProcessID : 4291024489 Threads : 6 Priority : Normal FileVersion : 2003, 9, 3, 1 ProductVersion : 1, 0, 0, 1 ProductName : YCommon Exe Module CompanyName : Yahoo!, Inc. FileDescription : YCommon Exe Module InternalName : YCommonExe LegalCopyright : Copyright 2003 Yahoo! Inc. OriginalFilename : YCommon.EXE #:17 [WMIEXE.EXE] FilePath : C:\WINDOWS\SYSTEM\ ProcessID : 4291048153 Threads : 3 Priority : Normal FileVersion : 5.00.1755.1 ProductVersion : 5.00.1755.1 ProductName : Microsoft® Windows NT® Operating System CompanyName : Microsoft Corporation FileDescription : WMI service exe housing InternalName : wmiexe LegalCopyright : Copyright © Microsoft Corp. 1981-1998 OriginalFilename : wmiexe.exe #:18 [IPCLIENT.EXE] FilePath : C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\ ProcessID : 4291177937 Threads : 7 Priority : Normal FileVersion : 5.5.33.226 ProductVersion : 5.5.33.226 ProductName : Visual IP InSight CompanyName : Visual Networks FileDescription : IP Session Statistics InternalName : IPCLIENT LegalCopyright : Copyright © 1996-2001 Visual Networks Technologies, Inc. OriginalFilename : ipclient32.exe #:19 [ZLCLIENT.EXE] FilePath : C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ ProcessID : 4291216545 Threads : 7 Priority : Normal FileVersion : 5.5.062.011 ProductVersion : 5.5.062.011 ProductName : Zone Labs Client CompanyName : Zone Labs LLC FileDescription : Zone Labs Client InternalName : zlclient LegalCopyright : Copyright © 1998-2005, Zone Labs LLC OriginalFilename : zlclient.exe #:20 [VSMON.EXE] FilePath : C:\WINDOWS\SYSTEM\ZONELABS\ ProcessID : 4290944049 Threads : 16 Priority : Normal FileVersion : 5.5.062.011 ProductVersion : 5.5.062.011 ProductName : TrueVector Service CompanyName : Zone Labs LLC FileDescription : TrueVector Service InternalName : vsmon LegalCopyright : Copyright © 1998-2005, Zone Labs LLC OriginalFilename : vsmon.exe #:21 [PSTORES.EXE] FilePath : C:\WINDOWS\SYSTEM\ ProcessID : 4291340865 Threads : 3 Priority : Normal FileVersion : 5.00.1877.3 ProductVersion : 5.00.1877.3 ProductName : Microsoft® Windows NT® Operating System CompanyName : Microsoft Corporation FileDescription : Protected storage server InternalName : Protected storage server LegalCopyright : Copyright © Microsoft Corp. 1981-1998 OriginalFilename : Protected storage server #:22 [IEXPLORE.EXE] FilePath : C:\PROGRAM FILES\INTERNET EXPLORER\ ProcessID : 4291122985 Threads : 8 Priority : Normal FileVersion : 6.00.2800.1106 ProductVersion : 6.00.2800.1106 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Internet Explorer InternalName : iexplore LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : IEXPLORE.EXE #:23 [DDHELP.EXE] FilePath : C:\WINDOWS\SYSTEM\ ProcessID : 4291372561 Threads : 2 Priority : Realtime FileVersion : 4.08.00.0400 ProductVersion : 4.08.00.0400 ProductName : Microsoft® DirectX for Windows® 95 and 98 CompanyName : Microsoft Corporation FileDescription : Microsoft DirectX Helper InternalName : DDHelp.exe LegalCopyright : Copyright © Microsoft Corp. 1994-2000 OriginalFilename : DDHelp.exe #:24 [AD-AWARE.EXE] FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\ ProcessID : 4291242337 Threads : 2 Priority : Normal FileVersion : 6.2.0.236 ProductVersion : SE 106 ProductName : Lavasoft Ad-Aware SE CompanyName : Lavasoft Sweden FileDescription : Ad-Aware SE Core application InternalName : Ad-Aware.exe LegalCopyright : Copyright © Lavasoft AB Sweden OriginalFilename : Ad-Aware.exe Comments : All Rights Reserved Memory scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 1 Started registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» AlfaCleaner Object Recognized! Type : Regkey Data : TAC Rating : 10 Category : Misc Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{357a87ed-3e5d-437d-b334-deb7eb4982a3} Registry Scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 1 Objects found so far: 2 Started deep registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Deep registry scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 2 Started Tracking Cookie scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Tracking cookie scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 2 Deep scanning and examining files (c:) »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Malware.Psguard Object Recognized! Type : File Data : PSGuard.exe TAC Rating : 7 Category : Malware Comment : Object : c:\Program Files\P.S.Guard\ Malware.Psguard Object Recognized! Type : File Data : WndSystem.dll TAC Rating : 7 Category : Malware Comment : Object : c:\Program Files\P.S.Guard\ FileVersion : 1, 0, 0, 1 ProductVersion : 1, 0, 0, 1 ProductName : WndLayer Module FileDescription : WndLayer Module InternalName : WndLayer LegalCopyright : Copyright 2005 OriginalFilename : WndLayer.DLL Disk Scan Result for c:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 4 Scanning Hosts file...... Hosts file location:"C:\WINDOWS\hosts". »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Hosts file scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 684 entries scanned. New critical objects:0 Objects found so far: 4 Performing conditional scans... »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Malware.Psguard Object Recognized! Type : Folder TAC Rating : 7 Category : Malware Comment : Malware.Psguard Object : C:\Program Files\P.S.Guard Malware.Psguard Object Recognized! Type : File Data : msvcp71.dll TAC Rating : 7 Category : Malware Comment : Object : C:\Program Files\p.s.guard\ FileVersion : 7.10.3077.0 ProductVersion : 7.10.3077.0 ProductName : Microsoft® Visual Studio .NET CompanyName : Microsoft Corporation FileDescription : Microsoft® C++ Runtime Library InternalName : MSVCP71.DLL LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : MSVCP71.DLL Malware.Psguard Object Recognized! Type : File Data : msvcr71.dll TAC Rating : 7 Category : Malware Comment : Object : C:\Program Files\p.s.guard\ FileVersion : 7.10.3052.4 ProductVersion : 7.10.3052.4 ProductName : Microsoft® Visual Studio .NET CompanyName : Microsoft Corporation FileDescription : Microsoft® C Runtime Library InternalName : MSVCR71.DLL LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : MSVCR71.DLL Conditional scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 3 Objects found so far: 7 10:32:58 AM Scan Complete Summary Of This Scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Total scanning time:00:16:35.960 Objects scanned:118607 Objects identified:6 Objects ignored:0 New critical objects:6

[nerdwanabe]

results from webroot spysweeper 10:40 AM: |··· Start of Session, Friday, February 24, 2006 ···| 10:40 AM: Spy Sweeper started 10:40 AM: Sweep initiated using definitions version 548 10:40 AM: Starting Memory Sweep 10:41 AM: Warning: Failed to load image: C:\WINDOWS\SYSTEM\MSGSRV32.EXE 10:42 AM: Warning: Failed to load image: C:\WINDOWS\SYSTEM\MMTASK.TSK 10:46 AM: Memory Sweep Complete, Elapsed Time: 00:06:07 10:46 AM: Starting Registry Sweep 10:48 AM: Found Adware: psguard 10:48 AM: HKCR\clsid\{057e242f-2947-4e0a-8e61-a11345d97ea6}\ (ID = 487711) 10:48 AM: HKCR\clsid\{357a87ed-3e5d-437d-b334-deb7eb4982a3}\ (2 subtraces) (ID = 487755) 10:48 AM: HKLM\software\classes\clsid\{057e242f-2947-4e0a-8e61-a11345d97ea6}\ (ID = 488236) 10:48 AM: HKLM\software\classes\clsid\{357a87ed-3e5d-437d-b334-deb7eb4982a3}\ (2 subtraces) (ID = 488280) 10:48 AM: Registry Sweep Complete, Elapsed Time:00:01:59 10:48 AM: Starting Cookie Sweep 10:48 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00 10:48 AM: Starting File Sweep 10:48 AM: Warning: Failed to open file "c:\gobackio.bin". The process cannot access the file because it is being used by another process 10:48 AM: Warning: Failed to open file "c:\windows\win386.swp". The process cannot access the file because it is being used by another process 10:57 AM: Warning: Failed to access drive D: 10:57 AM: Warning: Failed to access drive D: 10:57 AM: File Sweep Complete, Elapsed Time: 00:09:12 10:57 AM: Full Sweep has completed. Elapsed time 00:17:21 10:57 AM: Traces Found: 8 ******** 9:48 AM: |··· Start of Session, Thursday, February 23, 2006 ···| 9:48 AM: Spy Sweeper started 9:48 AM: Sweep initiated using definitions version 548 9:48 AM: Starting Memory Sweep 9:49 AM: Warning: Failed to load image: C:\WINDOWS\SYSTEM\MSGSRV32.EXE 9:50 AM: Warning: Failed to load image: C:\WINDOWS\SYSTEM\MMTASK.TSK 9:53 AM: Memory Sweep Complete, Elapsed Time: 00:04:59 9:53 AM: Starting Registry Sweep 9:55 AM: Found Adware: psguard 9:55 AM: HKCR\clsid\{357a87ed-3e5d-437d-b334-deb7eb4982a3}\ (1 subtraces) (ID = 487755) 9:55 AM: HKLM\software\classes\clsid\{357a87ed-3e5d-437d-b334-deb7eb4982a3}\ (1 subtraces) (ID = 488280) 9:55 AM: Registry Sweep Complete, Elapsed Time:00:01:40 9:55 AM: Starting Cookie Sweep 9:55 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00 9:55 AM: Starting File Sweep 9:55 AM: Warning: Failed to open file "c:\gobackio.bin". The process cannot access the file because it is being used by another process 9:55 AM: Warning: Failed to open file "c:\windows\win386.swp". The process cannot access the file because it is being used by another process 10:04 AM: Warning: Failed to access drive D: 10:04 AM: Warning: Failed to access drive D: 10:04 AM: File Sweep Complete, Elapsed Time: 00:09:19 10:04 AM: Full Sweep has completed. Elapsed time 00:16:00 10:04 AM: Traces Found: 4 10:07 AM: Removal process initiated 10:07 AM: Quarantining All Traces: psguard 10:07 AM: Removal process completed. Elapsed time 00:00:03 10:07 AM: Deletion from quarantine initiated 10:07 AM: Processing: psguard 10:07 AM: Deletion from quarantine completed. Elapsed time 00:00:00 ******** 8:18 PM: |··· Start of Session, Thursday, February 09, 2006 ···| 8:18 PM: Spy Sweeper started 8:18 PM: Sweep initiated using definitions version 548 8:18 PM: Starting Memory Sweep 8:19 PM: Warning: Failed to load image: C:\WINDOWS\SYSTEM\MSGSRV32.EXE 8:19 PM: Warning: Failed to load image: C:\WINDOWS\SYSTEM\MMTASK.TSK 8:24 PM: Memory Sweep Complete, Elapsed Time: 00:05:37 8:24 PM: Starting Registry Sweep 8:25 PM: Found Adware: psguard 8:25 PM: HKCR\clsid\{357a87ed-3e5d-437d-b334-deb7eb4982a3}\ (ID = 487755) 8:25 PM: HKLM\software\classes\clsid\{357a87ed-3e5d-437d-b334-deb7eb4982a3}\ (ID = 488280) 8:25 PM: Registry Sweep Complete, Elapsed Time:00:01:36 8:25 PM: Starting Cookie Sweep 8:25 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00 8:25 PM: Starting File Sweep 8:25 PM: Warning: Failed to open file "c:\gobackio.bin". The process cannot access the file because it is being used by another process 8:25 PM: Warning: Failed to open file "c:\windows\win386.swp". The process cannot access the file because it is being used by another process 8:34 PM: Warning: Failed to access drive D: 8:34 PM: Warning: Failed to access drive D: 8:34 PM: File Sweep Complete, Elapsed Time: 00:09:13 8:34 PM: Full Sweep has completed. Elapsed time 00:16:29 8:34 PM: Traces Found: 2 9:19 PM: Removal process initiated 9:19 PM: Quarantining All Traces: psguard 9:19 PM: Removal process completed. Elapsed time 00:00:03 9:19 PM: Deletion from quarantine initiated 9:19 PM: Processing: psguard 9:19 PM: Deletion from quarantine completed. Elapsed time 00:00:00 9:48 AM: IE Tracking Cookies Shield: Removed belnk cookie 9:48 AM: IE Tracking Cookies Shield: Removed l2m.net cookie 9:48 AM: IE Tracking Cookies Shield: Removed myaffiliateprogram.com cookie 9:48 AM: IE Tracking Cookies Shield: Removed clickxchange adware cookie 9:48 AM: IE Tracking Cookies Shield: Removed xren_cj cookie 9:48 AM: IE Tracking Cookies Shield: Removed xren_cj cookie 9:48 AM: IE Tracking Cookies Shield: Removed xren_cj cookie 9:48 AM: IE Tracking Cookies Shield: Removed alt cookie 9:48 AM: IE Tracking Cookies Shield: Removed seeq cookie 9:48 AM: IE Tracking Cookies Shield: Removed ccbill cookie 9:48 AM: IE Tracking Cookies Shield: Removed xiti cookie 9:48 AM: IE Tracking Cookies Shield: Removed overture cookie 9:48 AM: IE Tracking Cookies Shield: Removed classmates cookie 9:48 AM: IE Tracking Cookies Shield: Removed about cookie 9:48 AM: IE Tracking Cookies Shield: Removed belnk cookie 9:48 AM: IE Tracking Cookies Shield: Removed about cookie 9:48 AM: IE Tracking Cookies Shield: Removed specificclick.com cookie 9:48 AM: IE Tracking Cookies Shield: Removed yieldmanager cookie 9:48 AM: Processing Internet Explorer Favorites Alerts 9:48 AM: Allowed IE Favorite: TomCoyote Forums - HijackThis Logs and Spyware-Malware Removal 9:48 AM: Allowed IE Favorite: Human Skull 9:48 AM: Allowed IE Favorite: TunaBombers 9:48 AM: Allowed IE Favorite: How to Cook Everything Home 9:48 AM: Allowed IE Favorite: NBCOlympics.com - TV Listings 9:48 AM: |··· End of Session, Thursday, February 23, 2006 ···| ******** 7:09 PM: |··· Start of Session, Thursday, February 09, 2006 ···| 7:09 PM: Spy Sweeper started 7:09 PM: Sweep initiated using definitions version 548 7:09 PM: Starting Memory Sweep 7:09 PM: Warning: Failed to load image: C:\WINDOWS\SYSTEM\MSGSRV32.EXE 7:09 PM: Warning: Failed to load image: C:\WINDOWS\SYSTEM\MMTASK.TSK 7:13 PM: Memory Sweep Complete, Elapsed Time: 00:04:31 7:13 PM: Starting Registry Sweep 7:15 PM: Found Adware: psguard 7:15 PM: HKCR\clsid\{357a87ed-3e5d-437d-b334-deb7eb4982a3}\ (ID = 487755) 7:15 PM: HKLM\software\classes\clsid\{357a87ed-3e5d-437d-b334-deb7eb4982a3}\ (ID = 488280) 7:15 PM: Registry Sweep Complete, Elapsed Time:00:01:37 7:15 PM: Starting Cookie Sweep 7:15 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00 7:15 PM: Starting File Sweep 7:15 PM: Warning: Failed to open file "c:\gobackio.bin". The process cannot access the file because it is being used by another process 7:15 PM: Warning: Failed to open file "c:\windows\win386.swp". The process cannot access the file because it is being used by another process 7:25 PM: Warning: Failed to access drive D: 7:25 PM: Warning: Failed to access drive D: 7:25 PM: File Sweep Complete, Elapsed Time: 00:09:31 7:25 PM: Full Sweep has completed. Elapsed time 00:15:41 7:25 PM: Traces Found: 2 7:25 PM: Removal process initiated 7:25 PM: Quarantining All Traces: psguard 7:25 PM: Removal process completed. Elapsed time 00:00:04 7:25 PM: Deletion from quarantine initiated 7:25 PM: Processing: psguard 7:25 PM: Deletion from quarantine completed. Elapsed time 00:00:00 ******** 5:34 PM: |··· Start of Session, Wednesday, February 08, 2006 ···| 5:34 PM: Spy Sweeper started 5:34 PM: Sweep initiated using definitions version 548 5:34 PM: Starting Memory Sweep 5:34 PM: Warning: Failed to load image: C:\WINDOWS\SYSTEM\MSGSRV32.EXE 5:35 PM: Warning: Failed to load image: C:\WINDOWS\SYSTEM\MMTASK.TSK 5:37 PM: Memory Sweep Complete, Elapsed Time: 00:03:02 5:37 PM: Starting Registry Sweep 5:39 PM: Found Adware: psguard 5:39 PM: HKCR\clsid\{357a87ed-3e5d-437d-b334-deb7eb4982a3}\ (ID = 487755) 5:39 PM: HKLM\software\classes\clsid\{357a87ed-3e5d-437d-b334-deb7eb4982a3}\ (ID = 488280) 5:39 PM: Registry Sweep Complete, Elapsed Time:00:01:29 5:39 PM: Starting Cookie Sweep 5:39 PM: Cookie Sweep Complete, Elapsed Time: 00:00:04 5:39 PM: Starting File Sweep 5:39 PM: Warning: Failed to open file "c:\gobackio.bin". The process cannot access the file because it is being used by another process 5:39 PM: Warning: Failed to open file "c:\windows\win386.swp". The process cannot access the file because it is being used by another process 5:50 PM: Warning: Failed to access drive D: 5:50 PM: Warning: Failed to access drive D: 5:50 PM: File Sweep Complete, Elapsed Time: 00:10:39 5:50 PM: Full Sweep has completed. Elapsed time 00:15:20 5:50 PM: Traces Found: 2 5:50 PM: Removal process initiated 5:50 PM: Quarantining All Traces: psguard 5:50 PM: Removal process completed. Elapsed time 00:00:03 5:50 PM: Deletion from quarantine initiated 5:50 PM: Processing: psguard 5:50 PM: Deletion from quarantine completed. Elapsed time 00:00:00 9:41 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie 9:41 AM: IE Tracking Cookies Shield: Removed pointroll cookie 9:41 AM: IE Tracking Cookies Shield: Removed falkag cookie 9:41 AM: IE Tracking Cookies Shield: Removed adjuggler cookie 9:41 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie 9:52 AM: Warning: Startup Shield unable to restore: 9:52 AM: Warning: Startup Shield unable to restore: 9:53 AM: Processing Startup Alerts 9:53 AM: Allowed Startup entry: HPAiODevice(hp officejet v series) - 1.lnk 1:38 PM: Processing Internet Explorer Favorites Alerts 1:38 PM: Allowed IE Favorite: TomCoyote Forums Remove Spyware 1:38 PM: Processing Startup Alerts 1:38 PM: Allowed Startup entry: SpybotSnD 7:07 PM: IE Tracking Cookies Shield: Removed alt cookie 7:09 PM: Processing Startup Alerts 7:09 PM: Allowed Startup entry: SchedulingAgent 7:09 PM: Allowed Startup entry: PrintMaster Event Reminder.lnk 7:09 PM: Allowed Startup entry: GoBack.lnk 7:09 PM: Allowed Startup entry: Taskbar Display Controls 7:09 PM: Allowed Startup entry: GoBack Polling Service 7:09 PM: Allowed Startup entry: LoadPowerProfile 7:09 PM: Allowed Startup entry: REGSHAVE 7:09 PM: Allowed Startup entry: QuickTime Task 7:09 PM: Allowed Startup entry: RealTray 7:09 PM: Allowed Startup entry: LoadPowerProfile 7:09 PM: Allowed Startup entry: TaskMonitor 7:09 PM: Allowed Startup entry: ScanRegistry 7:09 PM: |··· End of Session, Thursday, February 09, 2006 ···| ******** 11:48 AM: |··· Start of Session, Sunday, February 05, 2006 ···| 11:48 AM: Spy Sweeper started 11:48 AM: Sweep initiated using definitions version 548 11:48 AM: Starting Memory Sweep 11:48 AM: Warning: Failed to load image: C:\WINDOWS\SYSTEM\MSGSRV32.EXE 11:48 AM: Warning: Failed to load image: C:\WINDOWS\SYSTEM\MMTASK.TSK 11:50 AM: Memory Sweep Complete, Elapsed Time: 00:02:30 11:50 AM: Starting Registry Sweep 11:52 AM: Found Adware: psguard 11:52 AM: HKCR\clsid\{357a87ed-3e5d-437d-b334-deb7eb4982a3}\ (ID = 487755) 11:52 AM: HKLM\software\classes\clsid\{357a87ed-3e5d-437d-b334-deb7eb4982a3}\ (ID = 488280) 11:52 AM: Registry Sweep Complete, Elapsed Time:00:01:30 11:52 AM: Starting Cookie Sweep 11:52 AM: Cookie Sweep Complete, Elapsed Time: 00:00:05 11:52 AM: Starting File Sweep 11:52 AM: Warning: Failed to open file "c:\gobackio.bin". The process cannot access the file because it is being used by another process 11:52 AM: Warning: Failed to open file "c:\windows\win386.swp". The process cannot access the file because it is being used by another process 12:02 PM: Warning: Failed to access drive D: 12:02 PM: Warning: Failed to access drive D: 12:02 PM: File Sweep Complete, Elapsed Time: 00:10:16 12:02 PM: Full Sweep has completed. Elapsed time 00:14:27 12:02 PM: Traces Found: 2 12:11 PM: Removal process initiated 12:11 PM: Quarantining All Traces: psguard 12:11 PM: Removal process completed. Elapsed time 00:00:03 5:32 PM: IE Tracking Cookies Shield: Removed alt cookie 5:32 PM: IE Tracking Cookies Shield: Removed yieldmanager cookie 5:32 PM: IE Tracking Cookies Shield: Removed xren_cj cookie 5:34 PM: IE Tracking Cookies Shield: Removed banner cookie 5:34 PM: IE Tracking Cookies Shield: Removed belnk cookie 5:34 PM: IE Tracking Cookies Shield: Removed websponsors cookie 5:34 PM: IE Tracking Cookies Shield: Removed belnk cookie 5:34 PM: IE Tracking Cookies Shield: Removed belnk cookie 5:34 PM: IE Tracking Cookies Shield: Removed kinghost cookie 5:34 PM: IE Tracking Cookies Shield: Removed yieldmanager cookie 5:34 PM: Processing Startup Alerts 5:34 PM: Allowed Startup entry: Exif Launcher.lnk 5:34 PM: |··· End of Session, Wednesday, February 08, 2006 ···|

[nerdwanabe]

A2 results a-squared Report Scan started: 02/24/2006 11:01:34 AM Scan finished: 02/24/2006 11:15:22 AM Scan duration: 0h 13min 48sec Scanned files: 114670 Infected files: 2 Object Diagnosis Key: HKEY_CLASSES_ROOT\clsid\{357a87ed-3e5d-437d-b334-deb7eb4982a3} Trace.Registry.StartPage Key: HKEY_CLASSES_ROOT\clsid\{357a87ed-3e5d-437d-b334-deb7eb4982a3} Trace.Registry.StartPage

[nerdwanabe]

spybot results Teslaplus.com: Class ID (Registry key, nothing done) HKEY_CLASSES_ROOT\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} --- Spybot - Search && Destroy version: 1.3 --- 2006-02-24 Includes\Cookies.sbi 2006-02-24 Includes\Dialer.sbi 2006-02-24 Includes\Hijackers.sbi 2006-02-24 Includes\Keyloggers.sbi 2006-02-24 Includes\Malware.sbi 2006-02-24 Includes\Revision.sbi 2006-02-24 Includes\Security.sbi 2006-02-24 Includes\Spybots.sbi 2006-02-24 Includes\Trojans.sbi 2004-05-12 Includes\LSP.sbi 2005-02-17 Includes\Tracks.uti 2006-02-24 Includes\PUPS.sbi

[nerdwanabe]

all of these were run in succession. after runinning each scan i copied the results to clipboard pasted them in the reply. then fixed and or cleaned with each tool and then proceded on to next scan. nothing seems to be able to fully remove these. what is your next suggestion.

[little eagle]

Download and run the Microsoft Malicious Software Removal Tool:

http://www.microsoft...ve/default.mspx

Let me know the reults of that in your reply

[nerdwanabe]

not available for win 98

[little eagle]

Sorry about that run both av scans here.

[little eagle]

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php