Jump to content

Trojans removed or still hidden?


Recommended Posts

Hi AdvancedSetup,

Sorry to ask so many questions!!

I ran ComboFix and here is the log:

ComboFix 09-01-17.03 - LK 2009-01-17 16:50:35.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2037.1354 [GMT -10:00]

Running from: c:\documents and settings\LK\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated)

FW: McAfee Personal Firewall *disabled*

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\x64

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_seneka

((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))

.

2009-01-16 14:15 . 2009-01-16 14:15 <DIR> d-------- c:\documents and settings\LK\Application Data\McAfee

2009-01-15 00:02 . 2009-01-15 00:01 73,728 --a------ c:\windows\system32\javacpl.cpl

2009-01-11 16:30 . 2009-01-11 16:30 <DIR> d-------- c:\program files\Trend Micro

2009-01-11 14:56 . 2009-01-12 19:48 250 --a------ c:\windows\gmer.ini

2009-01-10 19:18 . 2009-01-10 19:18 <DIR> d-------- c:\program files\Java

2009-01-10 19:18 . 2009-01-15 00:01 410,984 --a------ c:\windows\system32\deploytk.dll

2009-01-10 13:08 . 2009-01-07 20:53 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys

2009-01-09 18:53 . 2009-01-15 07:29 <DIR> d-------- c:\program files\Windows Live Safety Center

2009-01-08 22:40 . 2009-01-08 22:40 <DIR> d-------- c:\documents and settings\LK\Application Data\Malwarebytes

2009-01-08 22:27 . 2009-01-15 04:31 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-08 22:27 . 2009-01-08 22:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-08 22:27 . 2009-01-08 22:27 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-01-08 22:27 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-08 22:27 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-08 22:20 . 2009-01-08 22:20 <DIR> d-------- c:\program files\Citrix

2009-01-08 22:12 . 2008-01-25 04:14 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Roxio

2009-01-08 22:12 . 2008-01-25 04:02 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield

2009-01-08 22:12 . 2008-01-25 04:12 <DIR> d--h----- c:\documents and settings\Administrator\Application Data\GTek

2009-01-08 22:12 . 2009-01-09 20:37 <DIR> d-------- c:\documents and settings\Administrator

2009-01-08 20:53 . 2009-01-08 20:53 <DIR> d-------- c:\windows\McAfee.com

2009-01-07 22:04 . 2009-01-07 22:04 <DIR> d-------- c:\program files\Lavasoft

2009-01-07 22:03 . 2009-01-07 22:03 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2009-01-07 20:53 . 2009-01-15 02:50 <DIR> d-------- c:\documents and settings\LK\.housecall6.6

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-17 00:16 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee

2009-01-16 07:11 --------- d-----w c:\program files\McAfee

2009-01-11 11:51 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore

2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys

2008-06-08 02:36 0 ----a-w c:\documents and settings\LK\Application Data\wklnhst.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-25 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-13 142104]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-13 162584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-13 138008]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-25 1838592]

"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-15 136600]

"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 c:\windows\RTHDCPL.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-20 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]

--a------ 2006-08-17 05:00 1116920 c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R4 datunidr;DellAutomatedPCTuneUp UniDriver;c:\windows\system32\drivers\datunidr.sys [2007-08-23 5376]

R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-09-04 206096]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8637c99-d16f-11dc-a5b4-001d09872c00}]

\Shell\AutoRun\command - F:\Info.exe folder.htt 480 480

.

Contents of the 'Scheduled Tasks' folder

2008-01-30 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-01-30 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

.

.

------- Supplementary Scan -------

.

uSearch Page = hxxp://www.google.com

uStart Page = hxxp://www.yahoo.com/

uSearch Bar = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080125

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Trusted Zone: *.internet

Trusted Zone: *.mcafee.com

FF - ProfilePath - c:\documents and settings\LK\Application Data\Mozilla\Firefox\Profiles\qp5ho47r.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://*.mcafee.com

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=26688

O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} (Office Update Installation Engine) -

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...489/mcfscan.cab

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: DellAMBrokerService - Unknown owner - C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe

O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--

End of file - 8926 bytes

Thank you,

Kara

Link to post
Share on other sites
  • Replies 57
  • Created
  • Last Reply

Top Posters In This Topic

  • Root Admin

Hi Kara,

Nothing wrong with asking questions but I needed to impress upon you that it was important to run Combofix and it did find and remove parts of a bad infection that were left over.

Please run the following cleaner and disable, don't use, the Registry portion as it can cause damage.

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup215.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

Then run the MBAM update, scan process again.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer and AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

Hi AdvancedSetup,

I ran CCleaner and it removed 72.2 MB.

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.33

Database version: 1663

Windows 5.1.2600 Service Pack 2

1/18/2009 12:24:18 AM

mbam-log-2009-01-18 (00-24-18).txt

Scan type: Quick Scan

Objects scanned: 52943

Time elapsed: 2 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

**********************************

And here is the HJT log after the reboot:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:32:25 AM, on 1/18/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\Program Files\McAfee\VirusScan\McShield.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.mcafee.com

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=26688

O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} (Office Update Installation Engine) -

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...489/mcfscan.cab

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: DellAMBrokerService - Unknown owner - C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe

O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--

End of file - 8795 bytes

Thank you,

Kara

Link to post
Share on other sites
  • Root Admin

Those are files in the System Restore and are of not threat, but you can do the following to remove them.

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
  • Reboot.

Turn ON System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Make SURE you disable your Anti-Virus software while installing SP3 (you can disconnect from the Internet if you like while doing the install)

Then I would recommend that you download the FULL SP3 file and don't try to update directly from the Windows Update site.

This is a big download though so hopefully your on a fast connection. 316MB file.

Windows XP Service Pack 3 FULL

Windows Internet Explorer 7 for Windows XP

Link to post
Share on other sites

Hi AdvancedSetup,

Thank you for your reply. I followed your instructions for the System Restore point, and will first download the full version of SP3 and then IE7 hopefully tomorrow. I hope my connection is fast, too!

By the way, should I remove the ComboFix, Gmer, and FixPolicies tools? If so, what is the best way to remove them?

Thank you again,

Kara

Link to post
Share on other sites
  • Root Admin

This tool was designed to remove most of them. Any that are left over you can just delete.

Please
Download
OTMoveIt3
by Old Timer
and save it to your
Desktop
.
  • Double-click
    OTMoveIt3.exe
    to run it.
  • While connected to the Internet, Click on the green
    CleanUp!
    button and it will populate a list of items to clean from your system that we used or may have used.

  • It should ask if you want to clean up, select Yes and allow the system to clean up these items.

    NOW
    please reboot your computer to finish the cleanup process

Link to post
Share on other sites
  • Root Admin

Yes it's okay to allow it. When doing Microsoft updates like that you need to make sure you do allow it otherwise it could cause the install to fail.

Often finishing steps are setup to run AFTER a reboot to complete the install.

Okay now that you're up to date on IE7, SP3 you also need to go to the Windows UPDATE site and update ALL the critical updates.

Link to post
Share on other sites
  • Root Admin

Well not sure where the prompt for IE is coming from. I would need more information. Is it the firewall from McAfee trying to allow it? What is the exact wording and what application popped it up?

It is possible that Malware affected your AV. What are some of the entries and are they for the AV scanner or the Firewall?

Might want to send an email to McAfee and ask them how that is controlled and what the default entries are, I don't really know myself what files are set by McAfee as default entries.

Are you having any other signs of infection? Let's see one more round of updates and scans by MBAM please and hopefully you should be pretty clean and set now.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer and AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites
  • Root Admin

Yes, changing your passwords from a KNOWN CLEAN system would be a good idea. Do not use your current computer though until we're very sure it's clean.

A known clean system would be one that passes at least 2 different Anti-Virus scanners, a Rootkit scanner, and 2 different Anti-Malware scanners.

Without being paranoid, a system that passes that should be clean.

I'm just a bit curious why the Registry wants to be changed. It is probably safe, but the program doesn't even tell you WHAT key it wants to modify so it's difficult to say its safe.

If you're unable to get feedback from McAfee then I would say to go ahead and tell it yes to make the change and then we'll do some more scans to make sure nothing wrong is happening to the system.

Link to post
Share on other sites

Hi AdvancedSetup,

Thank you for your reply. Sending you in this message some examples of entries in the 3 trusted lists:

Program SystemGuards (19 total in this list)

1. SystemGuard name: Active X installations

C:\Windows\softwaredistribution\download\4a70167257b9ec465806ced7f92b65d8\update\update.exe

2. SystemGuard name: Active X installations

C:\Windows\system32\ogacheckcontrol.dll

3. SystemGuard name: Startup Items

C:\Windows\system 32\ctfmon.exe

4. SystemGuard name: Startup Items

C:\buildbu.bat

Windows SystemGuards (20 total in this list)

1. SystemGuard name: Windows Shell Open Commands

C:\documents and settings\lk\local settings\temp\7zs5d.tmp\setup.exe

2. SystemGuard name: Windows Shell Open Commands & Context Menu Handlers

C:\Windows\inf\unregmp2.exe

Brower SystemGuards (44 total in this list)

1. SystemGuard name: Browser Helper Objects

C:\Windows\system32\lsass.exe

2. SystemGuard name: Internet Explorer Bars

C:\Windows\system32\shdocvw.dll

3. SystemGuard name: Internet Explorer Security Zones

C:\Windows\hh.exe

4. SystemGuard name: Internet Explorer Security Zones

C:\Windows\system32\control.exe

Sorry to ask you about my McAfee. I'll post that other question to McAfee's forum too, but no one has replied to my first question about why the firewall is disabled at start/restart, so I don't have high hopes that I'll get a reply to my second question...

Should I just remove all of the entries in the 3 trusted lists? If all entries are removed, then that means that my McAfee has to scan all files, which is the safest way to scan, right?

Thank you for your guidance,

Kara

Link to post
Share on other sites
  • Root Admin

This should be the Office Genuine check file from Microsoft

C:\Windows\system32\ogacheckcontrol.dll

Should be safe:

C:\Windows\system 32\ctfmon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\shdocvw.dll

C:\Windows\hh.exe

C:\Windows\system32\control.exe

Delete the following and don't allow them.

C:\buildbu.bat

C:\documents and settings\lk\local settings\temp\7zs5d.tmp\setup.exe (not enough info to determine what it is but it's in %temp% and executable so not good.

C:\Windows\inf\unregmp2.exe (probably for Real Player Media)

Link to post
Share on other sites

Hi AdvancedSetup,

I removed those 3 entries from the lists, but should I do a search for them in the C drive and delete them from my computer? Is the .bat extension something bad?

If it doesn't cause additional problems, I'd like to remove all of the entries in the 3 trusted lists. If it just means that the scanning time takes longer, then that's fine. Please let me know what you think.

Even if McAfee doesn't scan the files on those trusted lists, when I use other scans (like Housecall, MBAM, etc.), the other scans will scan those files, won't they?

Thank you,

Kara

Link to post
Share on other sites
  • Root Admin

Yes you can remove all of them if you like. The .BAT is for batch files for automation. Don't just look for and remove them though as some are there on purpose. It's when they're being auto launched and / or unknown names then they raise suspicion.

How is the system now? Are there still any signs of an infection?

You should be all set now as far as Malware is concerned.

Link to post
Share on other sites

Hi AdvancedSetup,

Thank you for your advice. I think that my computer is almost back to normal except for the McAfee alert messages that appear whenever I start to use IE. Would the process version help? There are 7 pages in the log with a lot of repeats, so the following entries are the main ones. And I'm sorry that there are so many. I haven't received any replies from the McAfee forum...

1. SystemGuard name: Internet Explorer Security Zones

Rule Type: Registry

Process: C:\Program Files\Internet Explorer\iexplore.exe

Process description: Internet Explorer

Process version: 7.00.6000.16762 (vista_gdr.081013-1507) \S-1-5-21-1945475243-1410929442-4145805741-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel

2. SystemGuard name: Internet Explorer URLs

Rule Type: Registry

Process: C:\Program Files\Internet Explorer\iexplore.exe

Process description: Internet Explorer

Process version: 7.00.6000.16762 (vista_gdr.081013-1507) \S-1-5-21-1945475243-1410929442-4145805741-1006\Software\Microsoft\Internet Explorer\SearchUrl\provider

3. SystemGuard name: Internet Explorer Security Zones

Rule Type: Registry

Process: C:\Program Files\Internet Explorer\iexplore.exe

Process description: Internet Explorer

Process version: 7.00.6000.16762 (vista_gdr.081013-1507) \S-1-5-21-1945475243-1410929442-4145805741-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel

4. SystemGuard name: Internet Explorer Security Zones

Rule Type: Registry

Process: C:\Program Files\Internet Explorer\iexplore.exe

Process description: Internet Explorer

Process version: 7.00.6000.16762 (vista_gdr.081013-1507) \S-1-5-21-1945475243-1410929442-4145805741-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1601

5. SystemGuard name: Internet Explorer Security Zones

Rule Type: Registry

Process: C:\Program Files\Internet Explorer\iexplore.exe

Process description: Internet Explorer

Process version: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) \S-1-5-21-1945475243-1410929442-4145805741-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\Internet\about

6. SystemGuard name: Internet Explorer Security Zones

Rule Type: Registry

Process: C:\Program Files\Internet Explorer\iexplore.exe

Process description: Internet Explorer

Process version: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) \S-1-5-21-1945475243-1410929442-4145805741-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\Internet

7. SystemGuard name: Internet Explorer Security Zones

Rule Type: Registry

Process: C:\Program Files\Internet Explorer\iexplore.exe

Process description: Internet Explorer

Process version: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) \S-1-5-21-1945475243-1410929442-4145805741-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1601

7. SystemGuard name: Internet Explorer Security Zones

Rule Type: Registry

Process: C:\Program Files\Internet Explorer\iexplore.exe

Process description: Internet Explorer

Process version: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) \S-1-5-21-1945475243-1410929442-4145805741-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1607

8. SystemGuard name: Internet Explorer Security Zones

Rule Type: Registry

Process: C:\Program Files\Internet Explorer\iexplore.exe

Process description: Internet Explorer

Process version: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) \S-1-5-21-1945475243-1410929442-4145805741-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel

9. SystemGuard name: Context Menu Handlers

Rule Type: Registry

Process: C:\Windows\system32\regsvr32.exe

Process description: Microsoft

Link to post
Share on other sites
  • Root Admin

A couple of them are of no concern but many are form when Malware was on the box and it still has an entry to run it.

If possible from within IE go to TOOLS/Internet Options/Advanced and click on RESET to put all back to default.

Then start IE again and go to your home page. Then restart the computer and see what McAfee thinks when trying to start IE.

Not sure where but basically say NO don't allow the changes and DON'T tell me about it anymore.

Beyond that the system appears to be clean if the MBAM, HJT, and McAfee all find nothing.

Search for these file on your system and if found delete them. If they won't let you delete them then let me know.

2c4b71d7rundll32.exe

untqrd.dll

xxyyyWOh.dll

yvzlbk.dll

Link to post
Share on other sites

Hi AdvancedSetup,

Thank you for all of your advice. I searched for those 4 files, but nothing came up, so that's good.

I did the scans - McAfee didn't detect anything. Here is the log for MBAM:

Malwarebytes' Anti-Malware 1.33

Database version: 1695

Windows 5.1.2600 Service Pack 3

1/25/2009 10:51:54 PM

mbam-log-2009-01-25 (22-51-54).txt

Scan type: Full Scan (C:\|)

Objects scanned: 110421

Time elapsed: 37 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

******************************************

And here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:50:00 PM, on 1/25/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\Program Files\McAfee\VirusScan\McShield.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://partnerpage.google.com/smallbiz.del...amp;ibd=3080125

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKCU\..\Run: [DellAutomatedPCTuneUp] "C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=26688

O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} (Office Update Installation Engine) -

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...489/mcfscan.cab

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O23 - Service: DellAMBrokerService - Unknown owner - C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--

End of file - 7026 bytes

One new thing happened tonight, though. I wanted to make a change and the system wouldn't allow me to make the change because I'm not the administrator (which I am).

Thank you again for your help,

Kara

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.