Can't Remove Look2Me

**bithead** · 2006-04-01, 22:33

OK, thanks. In the meantime...

1) Immediately after importing the killqoo.reg file, the settings are changed back to their pior values. Something is keeping a close watch on things, it seems.

2) After running Avenger and rebooting the first time, after logging in, Explorer never runs -- I get to a blue "desktop" screen, but no icons, start menu or task bar appear. The same occurs in Safe Mode, except the screen is black rather than blue. I finally figured out that I could...

* Press Ctrl-Alt-Del to get Task Manager running
* Choose File --> New Task (Run...), to run Explorer.exe

After the above, Avenger processed its script. And now I have rebooted again, but Explorer still isn't running after login -- I have to manually run Task Manager and start Explorer to get a desktop -- any ideas on fixing this?

Oh, and the following simply will NOT go away:

HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon\shell = Explorer.exe, F:\WINNT\System32\rbjef.exe

Even if I manually edit the entry to remove all but Explorer.exe, if I immediately refresh it, the rbjef.exe is back. Is this why Explorer will not run after login?

Here is the Avenger log and the latest HJT log...

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ntfiuofn

*******************

Script file located at: \??\F:\WINNT\dipcnqji.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at F:\Avenger

*******************

Beginning to process script file:

File F:\WINNT\System32\rbjef.exe deleted successfully.

File F:\WINNT\System32\shellbn.exe not found!
Deletion of file F:\WINNT\System32\shellbn.exe failed!

Could not process line:
F:\WINNT\System32\shellbn.exe
Status: 0xc0000034

Folder F:\Program Files\ScreenTaker deleted successfully.

Folder F:\Program Files\rmda\haci.exe not found!
Deletion of folder F:\Program Files\rmda\haci.exe failed!

Could not process line:
F:\Program Files\rmda\haci.exe
Status: 0xc0000034

Deletion of file F:\DOCUME~1\bithead.001\LOCALS~1\Temp\1F.tmp failed!
Status: 0xc000014f

Completed script processing.

*******************

Finished! Terminate.

[I have verified that the files it was unable to delete are in fact not present.]

=====

Logfile of HijackThis v1.99.1
Scan saved at 12:29:38 PM, on 4/1/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
D:\Program Files\Symantec\pcAnywhere\awhost32.exe
F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
F:\WINNT\System32\cusrvc.exe
d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
F:\WINNT\System32\svchost.exe
d:\Program Files\ewido anti-malware\ewidoctrl.exe
d:\Program Files\ewido anti-malware\ewidoguard.exe
D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
F:\WINNT\LogWatNT.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
F:\WINNT\system32\regsvc.exe
D:\Program Files\Remote Task Manager\RTMService.exe
F:\WINNT\system32\MSTask.exe
D:\Program Files\TapeWare\TWWINSDR.EXE
D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
F:\WINNT\system32\vmnat.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
D:\Program Files\UltraVNC\WinVNC.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
F:\WINNT\System32\taskmgr.exe
F:\WINNT\explorer.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINNT\System32\NWTRAY.EXE
F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\MWSnap\MWSnap.exe
F:\PROGRA~1\INSTAN~1\aim.exe
F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
D:\Program Files\Novell\iFolder\trayapp.exe
C:\Program Files\OpenOffice.org1.0.1\program\soffice.exe
F:\WINNT\system32\NOTEPAD.EXE
F:\WINNT\system32\cmd.exe
F:\WINNT\regedit.exe
D:\Ad-Spy-Ware killers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.99.1.12:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0;<local>
F2 - REG:system.ini: Shell=Explorer.exe, F:\WINNT\System32\rbjef.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,dvqiqyw.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\winnt\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Client Access Service] "D:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "D:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "D:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "D:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [shellbn] F:\WINNT\System32\shellbn.exe
O4 - HKLM\..\RunServices: [shellbn] F:\WINNT\System32\shellbn.exe
O4 - HKCU\..\Run: [MWSnap] "D:\Program Files\MWSnap\MWSnap.exe"
O4 - HKCU\..\Run: [shellbn] F:\WINNT\System32\shellbn.exe
O4 - HKCU\..\Run: [ScreenTaker] F:\Program Files\ScreenTaker\STaker.exe
O4 - HKCU\..\Run: [Ramd] "F:\Program Files\rmda\haci.exe" -vt yazr
O4 - HKCU\..\Run: [Key] F:\DOCUME~1\bithead.001\LOCALS~1\Temp\1F.tmp
O4 - HKCU\..\Run: [AIM] F:\PROGRA~1\INSTAN~1\aim.exe -cnetwait.odl
O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = D:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: LastQUIT v1.2.lnk = F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
O4 - Global Startup: Novell iFolder.lnk = D:\Program Files\Novell\iFolder\trayapp.exe
O8 - Extra context menu item: &Google Search - res://f:\winnt\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\winnt\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\winnt\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\winnt\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Similar Pages - res://f:\winnt\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\winnt\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - F:\WINNT\System32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - F:\WINNT\System32\dmonwv.dll (file missing)
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O20 - Winlogon Notify: NavLogon - F:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
O20 - Winlogon Notify: winm32 - F:\WINNT\SYSTEM32\winm32.dll
O23 - Service: ARCserve Discovery Service (ASDiscoverySvc) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
O23 - Service: ARCserve Message Engine (ASMsgEngine) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cheyenne Alert Notification Server - Cheyenne Division Of Computer Associates International, Inc. - F:\Program Files\ComputerAssociates\ARCserve\Alert\Alert.exe
O23 - Service: Client Agent for ARCserve - Computer Associates - F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - F:\WINNT\System32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - F:\WINNT\CWBRXD.EXE
O23 - Service: DefWatch - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GFI LANguard N.S.S. Scheduled Scans Service (lnss_sscans) - GFI Software Ltd. - D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - F:\WINNT\LogWatNT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - D:\Program Files\Remote Task Manager\RTMService.exe
O23 - Service: TapeWare - Unknown owner - D:\Program Files\TapeWare\TWWINSDR.EXE
O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
O23 - Service: VMware NAT Service - Unknown owner - F:\WINNT\system32\vmnat.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - D:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
O23 - Service: ZipToA - Unknown owner - F:\WINNT\System32\ZipToA.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - F:\Program Files\Iomega\AutoDisk\ADService.exe

Once again, thanks for your help!

**Rawe** · 2006-04-01, 22:40

Please download FindQool by LonnyRJones:

Extract the files and place the FindQool folder in root. Usually C:\
Open the folder and run Qlocate.bat.
Post the contents of the txt.log which will open.

**bithead** · 2006-04-01, 23:42

Sat 04/01/2006
Running from: F:\FindQool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.
Files found with locate com.

Re-check using dir /a:-d
F:\Documents and Settings\All Users\Start Menu\Programs\Startup
...

HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{4abf810a-f11d-4169-9d5f-7d274f2270a1}
HKEY_LOCAL_MACHINE\software\classes\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu]
@="{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

[-HKEY_CLASSES_ROOT\CLSID\{incert HKCR\*\shellex csdl above here if present}]

...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
"biwrfq"="F:\\WINNT\\System32\\brsags.exe reg_run"
HKCU
"wfesh"="F:\\WINNT\\System32\\brsags.exe reg_run"
...

Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
shell REG_SZ Explorer.exe, F:\WINNT\System32\rbjef.exe
userinit REG_SZ C:\WINDOWS\System32\userinit.exe,dvqiqyw.exe
...
SWReg utility
Written by Bobbi Flekman © 2005
Findqool edited 3/26/2006

**Rawe** · 2006-04-02, 00:24

Lets try the following Regedit.

Please copy the following text in the quotebox below to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Fixqoo.reg to your desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{4abf810a-f11d-4169-9d5f-7d274f2270a1}]

[-HKEY_LOCAL_MACHINE\software\classes\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}]

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu]
@=-

[-HKEY_CLASSES_ROOT\CLSID\{incert HKCR\*\{BDA77241-42F6-11d0-85E2-00AA001FE28C}]

Now double-click on the Fixqoo.reg on your desktop and allow it to merge with registry by clicking YES on the prompt. Post back with a fresh HijackThis log.

**bithead** · 2006-04-02, 00:52

OK, here ya go...

Logfile of HijackThis v1.99.1
Scan saved at 2:50:17 PM, on 4/1/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
D:\Program Files\Symantec\pcAnywhere\awhost32.exe
F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
F:\WINNT\System32\cusrvc.exe
d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
F:\WINNT\System32\svchost.exe
d:\Program Files\ewido anti-malware\ewidoctrl.exe
d:\Program Files\ewido anti-malware\ewidoguard.exe
D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
F:\WINNT\LogWatNT.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
F:\WINNT\system32\regsvc.exe
D:\Program Files\Remote Task Manager\RTMService.exe
F:\WINNT\system32\MSTask.exe
D:\Program Files\TapeWare\TWWINSDR.EXE
D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
F:\WINNT\system32\vmnat.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
D:\Program Files\UltraVNC\WinVNC.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
F:\WINNT\System32\taskmgr.exe
F:\WINNT\explorer.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINNT\System32\NWTRAY.EXE
F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\MWSnap\MWSnap.exe
F:\PROGRA~1\INSTAN~1\aim.exe
F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
D:\Program Files\Novell\iFolder\trayapp.exe
C:\Program Files\OpenOffice.org1.0.1\program\soffice.exe
F:\WINNT\system32\NOTEPAD.EXE
F:\WINNT\regedit.exe
F:\WINNT\system32\NOTEPAD.EXE
D:\Ad-Spy-Ware killers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.99.1.12:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0;<local>
F2 - REG:system.ini: Shell=Explorer.exe, F:\WINNT\System32\rbjef.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,dvqiqyw.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\winnt\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Client Access Service] "D:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "D:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "D:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "D:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [shellbn] F:\WINNT\System32\shellbn.exe
O4 - HKLM\..\RunServices: [shellbn] F:\WINNT\System32\shellbn.exe
O4 - HKCU\..\Run: [MWSnap] "D:\Program Files\MWSnap\MWSnap.exe"
O4 - HKCU\..\Run: [shellbn] F:\WINNT\System32\shellbn.exe
O4 - HKCU\..\Run: [ScreenTaker] F:\Program Files\ScreenTaker\STaker.exe
O4 - HKCU\..\Run: [Ramd] "F:\Program Files\rmda\haci.exe" -vt yazr
O4 - HKCU\..\Run: [Key] F:\DOCUME~1\bithead.001\LOCALS~1\Temp\1F.tmp
O4 - HKCU\..\Run: [AIM] F:\PROGRA~1\INSTAN~1\aim.exe -cnetwait.odl
O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = D:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: LastQUIT v1.2.lnk = F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
O4 - Global Startup: Novell iFolder.lnk = D:\Program Files\Novell\iFolder\trayapp.exe
O8 - Extra context menu item: &Google Search - res://f:\winnt\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\winnt\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\winnt\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\winnt\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Similar Pages - res://f:\winnt\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\winnt\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O20 - Winlogon Notify: NavLogon - F:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
O20 - Winlogon Notify: winm32 - F:\WINNT\SYSTEM32\winm32.dll
O23 - Service: ARCserve Discovery Service (ASDiscoverySvc) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
O23 - Service: ARCserve Message Engine (ASMsgEngine) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cheyenne Alert Notification Server - Cheyenne Division Of Computer Associates International, Inc. - F:\Program Files\ComputerAssociates\ARCserve\Alert\Alert.exe
O23 - Service: Client Agent for ARCserve - Computer Associates - F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - F:\WINNT\System32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - F:\WINNT\CWBRXD.EXE
O23 - Service: DefWatch - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GFI LANguard N.S.S. Scheduled Scans Service (lnss_sscans) - GFI Software Ltd. - D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - F:\WINNT\LogWatNT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - D:\Program Files\Remote Task Manager\RTMService.exe
O23 - Service: TapeWare - Unknown owner - D:\Program Files\TapeWare\TWWINSDR.EXE
O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
O23 - Service: VMware NAT Service - Unknown owner - F:\WINNT\system32\vmnat.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - D:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
O23 - Service: ZipToA - Unknown owner - F:\WINNT\System32\ZipToA.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - F:\Program Files\Iomega\AutoDisk\ADService.exe

**bithead** · 2006-04-02, 02:53

And FWIW, I still have to run Explorer manually after logging in. :(

**Rawe** · 2006-04-02, 11:09

Ok.. Lets continue.

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only.

Do NOT run it yet!

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

==

Once in Safe Mode, please run a scan with HijackThis and check the following objects for removal if present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
F2 - REG:system.ini: Shell=Explorer.exe, F:\WINNT\System32\rbjef.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,dvqiqyw.exe
O4 - HKLM\..\Run: [shellbn] F:\WINNT\System32\shellbn.exe
O4 - HKLM\..\RunServices: [shellbn] F:\WINNT\System32\shellbn.exe
O4 - HKCU\..\Run: [shellbn] F:\WINNT\System32\shellbn.exe
O4 - HKCU\..\Run: [ScreenTaker] F:\Program Files\ScreenTaker\STaker.exe
O4 - HKCU\..\Run: [Ramd] "F:\Program Files\rmda\haci.exe" -vt yazr
O4 - HKCU\..\Run: [Key] F:\DOCUME~1\bithead.001\LOCALS~1\Temp\1F.tmp

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Close HijackThis.

==

Navigate to, and delete the following files/folders if present:

F:\WINNT\System32\rbjef.exe
F:\WINNT\System32\shellbn.exe
F:\Program Files\rmda\

==

Please run ATF-Cleaner:

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

==

Reboot normally and post back with a fresh HijackThis log, please.

**bithead** · 2006-04-02, 19:06

Here is the new HJT log. As you'll see, much of the stuff I removed is still present. I think this is due to logging in with different profiles. The infected profile is a domain account, and is the one I use when booting normally. When booting to Safe Mode, I can't access the domain account since there is no network support. Consequently, all of the HKCU listings are not present when running HJT in Safe Mode.

Should I repeat your last instructions, but using Safe Mode with Networking Support so I can login as my domain user to clean things up for that account?

Logfile of HijackThis v1.99.1
Scan saved at 9:59:45 AM, on 4/2/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\csrss.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
D:\Program Files\Symantec\pcAnywhere\awhost32.exe
F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
F:\WINNT\System32\cusrvc.exe
d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
F:\WINNT\System32\svchost.exe
d:\Program Files\ewido anti-malware\ewidoctrl.exe
d:\Program Files\ewido anti-malware\ewidoguard.exe
D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
F:\WINNT\LogWatNT.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
F:\WINNT\system32\regsvc.exe
D:\Program Files\Remote Task Manager\RTMService.exe
F:\WINNT\system32\MSTask.exe
D:\Program Files\TapeWare\TWWINSDR.EXE
D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
F:\WINNT\system32\vmnat.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
D:\Program Files\UltraVNC\WinVNC.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
F:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINNT\System32\NWTRAY.EXE
F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\MWSnap\MWSnap.exe
F:\PROGRA~1\INSTAN~1\aim.exe
F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
D:\Program Files\Novell\iFolder\trayapp.exe
C:\Program Files\OpenOffice.org1.0.1\program\soffice.exe
D:\Ad-Spy-Ware killers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.99.1.12:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0;<local>
F2 - REG:system.ini: Shell=Explorer.exe, F:\WINNT\System32\rbjef.exe
F2 - REG:system.ini: UserInit=F:\WINNT\SYSTEM32\Userinit.exe,dvqiqyw.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\winnt\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Client Access Service] "D:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "D:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "D:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "D:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MWSnap] "D:\Program Files\MWSnap\MWSnap.exe"
O4 - HKCU\..\Run: [shellbn] F:\WINNT\System32\shellbn.exe
O4 - HKCU\..\Run: [ScreenTaker] F:\Program Files\ScreenTaker\STaker.exe
O4 - HKCU\..\Run: [Ramd] "F:\Program Files\rmda\haci.exe" -vt yazr
O4 - HKCU\..\Run: [Key] F:\DOCUME~1\bithead.001\LOCALS~1\Temp\1F.tmp
O4 - HKCU\..\Run: [AIM] F:\PROGRA~1\INSTAN~1\aim.exe -cnetwait.odl
O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = D:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: LastQUIT v1.2.lnk = F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
O4 - Global Startup: Novell iFolder.lnk = D:\Program Files\Novell\iFolder\trayapp.exe
O8 - Extra context menu item: &Google Search - res://f:\winnt\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\winnt\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\winnt\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\winnt\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Similar Pages - res://f:\winnt\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\winnt\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
O20 - Winlogon Notify: NavLogon - F:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
O20 - Winlogon Notify: winm32 - F:\WINNT\SYSTEM32\winm32.dll
O23 - Service: ARCserve Discovery Service (ASDiscoverySvc) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
O23 - Service: ARCserve Message Engine (ASMsgEngine) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cheyenne Alert Notification Server - Cheyenne Division Of Computer Associates International, Inc. - F:\Program Files\ComputerAssociates\ARCserve\Alert\Alert.exe
O23 - Service: Client Agent for ARCserve - Computer Associates - F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - F:\WINNT\System32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - F:\WINNT\CWBRXD.EXE
O23 - Service: DefWatch - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GFI LANguard N.S.S. Scheduled Scans Service (lnss_sscans) - GFI Software Ltd. - D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - F:\WINNT\LogWatNT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - D:\Program Files\Remote Task Manager\RTMService.exe
O23 - Service: TapeWare - Unknown owner - D:\Program Files\TapeWare\TWWINSDR.EXE
O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
O23 - Service: VMware NAT Service - Unknown owner - F:\WINNT\system32\vmnat.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - D:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
O23 - Service: ZipToA - Unknown owner - F:\WINNT\System32\ZipToA.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - F:\Program Files\Iomega\AutoDisk\ADService.exe

**bithead** · 2006-04-02, 19:15

Oh yeah... Explorer launches OK now after login!

Also, I figured out why it was not launching. I copied and pasted this line as it was provided and imported it into the registry:

"Userinit"="C:\\WINDOWS\\System32\\userinit.exe,dvqiqyw.exe"

But on my system, I should have changed "C:\\WINDOWS\System32" to "F:\WINNT\System32". Live and learn... :p

**Rawe** · 2006-04-02, 19:16

Hmm.. Rather clean on the normal mode with this account and see if anything is fixed.

Thread: Can't Remove Look2Me

Thread Tools

Display

Posting Permissions