NOT Emergency - Please Give This HJT Log a Look

keto · October 2004

Ran AAW6 (updated), SSD and HSA Remover. This is the kids' computer, they've complained of popups and hijacks. Eliminated numerous candidates, suspect there may be a couple left. Thanks in advance, here's the log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
D:\Program Files\Folding@Home\winFAH.exe
D:\Program Files\Folding@Home\FahCore_78.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=543
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - Startup: Folding@home 4.00.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: winlogin.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://69.31.85.151/G7/chm9.chm::/file1.exe
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.com/teleport/hotdate/NPC/MaxisHotDateTeleX.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
O16 - DPF: {2DAE59A1-B355-4653-8D33-33A3A8F8C078} (MaxisVacationTeleX Control) - http://thesims.ea.com/teleport/vacation/MaxisVacationTeleX.cab
O16 - DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} (MaxisSuperstarTeleX Control) - http://thesims.ea.com/teleport/superstar/MaxisSuperstarTeleX.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.com/teleport/families/MaxisSimsFamilyTeleX.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
O20 - AppInit_DLLs: 1w8umu39z1wf.dll

Trogan · October 2004

Hi Keto, hope you know theres a new version of Ad-Aware, its Ad-Aware SE.

It finds more crap than version 6.0...you can download it from the security page

keto · October 2004

Bumpity. When you have a moment please and thank you. Browser is still hijacked.

Dexter · October 2004

Hey Keto,

Set your system to Show Hidden Files and folders.

For Windows XP or ME, Disable System Restore.

Reboot into Safe Mode.

Set your system to Show Hidden Files and folders.

For Windows XP or ME, Disable System Restore.

Reboot into Safe Mode.

Run Hijack This. FIX THE FOLLOWING:

O4 - Global Startup: winlogin.exe
O20 - AppInit_DLLs: 1w8umu39z1wf.dll

Those are problems there.

O15 - Trusted Zone: *.greg-search.com

That might be, if you don't know that domain, fix it as well.

Can you also please post the FULL report (the header section that shows the version number, OS version, IE version, etc.) You should be using HJT v 1.98.2.

Stay in Safe mode, manually locate the exe and dll files in the entries above, and quarantine them.

Then, go into C: -> Windows -> Downloaded Program Files, and delete everything in there. Anything you really need will be re-downloaded on demand when you visit the website that needs them.

Reboot normally, check things out, and come back to let us know how it turned out. Post a fresh HJT log for review. If things looks clean, re-enable your system restore and set a new restore point.

Dexter...

keto · October 2004

I can't seem to get at that 04 Winlogin.exe. HJT says it running and needs to be done thru Task Manager. The only thing close in there is Winlogon (note:'on', not 'in') which it says is a critical system function blah blah. A search of *winlogin*, winlogin.exe, *winlogin.exe* etc comes up with nothing but the HJT backup. I've quarantined the 020 entry twice but it comes back. And I emptied the Downloaded Prog Files. This is all done in Safe Mode.

Here's a new log.

Logfile of HijackThis v1.98.2
Scan saved at 11:05:31 AM, on 10/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
D:\Program Files\Folding@Home\winFAH.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Folding@Home\FahCore_78.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=543
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/sp.htm?id=543
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/sp.htm?id=543
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=543
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\hjmvu4yodlj.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - Startup: Folding@home 4.00.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: winlogin.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - AppInit_DLLs: 1w8umu39z1wf.dll

P.S. Thanks Dex, and the rest of the SVT team. In theory I know my way around a computer fairly well but this junk just escapes me - glad we have some experts around.

Dexter · October 2004

This entry was not there before:

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\hjmvu4yodlj.dll

Fix that guy (in safe mode) and these ones as well:

O4 - Global Startup: winlogin.exe

O20 - AppInit_DLLs: 1w8umu39z1wf.dll

Stay in safe mode and quarantine those files. If you can't find the winlogin, check your start menu, under All Programs -> Startup, and see if it is in there either as an app or a shortcut.

See what that does and let us know.

Dexter...

keto · October 2004

O4 - Global Startup: winlogin.exe I cannot find this file anywhere - not on start menu, not in Add/Remove Programs

O20 - AppInit_DLLs: 1w8umu39z1wf.dll - this file instantly regenerates. I cut/paste it from its location (C:windows/system32) to a QUARANTINE folder and rename it to .ddd, after 'fixing' it with HJT. Scan again and it's back and the file is regenerated in the system32 folder. Even if I delete it, it's right back in safe mode.

Fresh log:

Logfile of HijackThis v1.98.2
Scan saved at 9:52:07 PM, on 10/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
D:\Program Files\Folding@Home\winFAH.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Folding@Home\FahCore_78.exe
D:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=543
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/sp.htm?id=543
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/sp.htm?id=543
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=543
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - Startup: Folding@home 4.00.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: winlogin.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O20 - AppInit_DLLs: 1w8umu39z1wf.dll

OK, now I'm getting pissed off.

SpywareShooter · October 2004

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=543
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/sp.htm?id=543
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/sp.htm?id=543
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=543
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O4 - Global Startup: winlogin.exe
O20 - AppInit_DLLs: 1w8umu39z1wf.dll

Fix those entries, then find and delete winlogin.exe and 1w8umu39z1wf.dll, reboot, and post a new log.

keto · October 2004

Sorry but you didn't read any of my text did you? I cannot find WinLogin.exe. I have searched(*winlog*, winlogin.exe, winlog*, and any other search variation you would care to name), have checked start menu, add/remove programs, nothing. Task Manager/Processes shows Winlogon, note the difference in spelling - and even in safe mode, task manager will not let me stop it.

Also, 020 ...18wumuxxxxxxxx just regenerates itself instantly when I quarantine it.

However....I'll go downstairs and delete what I can and repost.

keto · October 2004

Logfile of HijackThis v1.98.2
Scan saved at 10:42:30 PM, on 10/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
D:\Program Files\Folding@Home\winFAH.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Folding@Home\FahCore_78.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - Startup: Folding@home 4.00.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: winlogin.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - AppInit_DLLs: 1w8umu39z1wf.dll

Dexter · October 2004

Keto,

go into Regedit and do a search for AppInit_DLLs.

You should get two hits, the first one will be a "pointer", a reg which tells the system where to look for declarations of AppInit_DLLs. It should be in the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows

with a reg name and value:

AppInit_DLLs = SYS:Microsoft\Windows NT\CurrentVersion\Windows

The next should be in the location specified by that value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

with a regname:

AppInit_DLLs

Now on a clean system, that reg value should be blank.

Yours will likely have "1w8umu39z1wf.dll" as a value. If you see that, right click on the reg name in the right hand pane, modify it and delete the value data so that it is blank. If you cannot edit it, right-click on the reg location on the left hand side HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows (so you will be right-clicking on the Windows folder you will see on the left hand pane) and go into Permissions. Make sure that the Administrators group has Full Control allowed.

After making the change, reboot the box.

If the value is not that dll name, please post the value so we can figure out what to do from there.

///EDIT: after some research, I have seen cases where the value of that reg appears blank. In that case they have recommended the following process:

1. Rename the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows folder to Windows2.
2. Now delete the AppInit_DLLs key under the Windows2 folder.
3. Hit F5 and notice that AppInit_DLLs doesn't come back.
4. Rename the Windows2 folder back to Windows.
Now that AppInit_DLLs is gone, run the latest AdAware 6 to remove the Trojan for good. Reboot your machine. Check the registry and make sure AppInit_DLLs is still gone.

Exit Regedit, reboot then run HJT to see if the value is gone from your scan.

You may want to back up your Registry before doing that process, as I cannot personally vouch for that advice, but the similar cases I found that seems to have worked.///

And, just to be sure, with the Global Startup of Winlogin.exe, did you check the following:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Check that folder, make sure you are set to show hidden files and folders, and protected system files.

If the dll still regenerates, we may need to check your services listing, and a full startup log to determine the global startup.

Dexter...

Crunchie · October 2004

Go to C:\Documents and Settings\All Users\Start Menu\Programs\Startup & you should find winlogin there. Have all files/folders unhidden.

Try running CWShredder too as that is a CWS infection.

Dexter · October 2004

justlooking wrote:

Go to C:\Documents and Settings\All Users\Start Menu\Programs\Startup & you should find winlogin there. Have all files/folders unhidden.

I just said that in the post above you....

CWShredder is not a bad idea, except that the research I have done tends to show it is not always effective at removing the AppInit_DLLs, so manual removal often needs to be done first. Once the AppInit_DLL is disabled, CWShredder is often able to find and destory the target file.

Go ahead and try CWShredder too Keto, it's own our security downloads page, but it may not help until the AppInit_DLLs reg entry is cleaned first.

Dexter...

Crunchie · October 2004

I've got to remember to read every post.

Dexter · October 2004

No problem...it happens to all of us

Dexter...

NOT Emergency - Please Give This HJT Log a Look

Comments