Browser Hijacker

steelwool · 2004/08/26

Internet has been slower ever since I had a browswer highjacker redirect my home page. Removed searchwww.hijacker with Ad-Aware & re-booted several times but Internet slower now. Spy-bot says system is clean. Could someone please look at my registry to see if this could be the cause ??? I used HijackThis I downloaded in March 2004 -- is there a newer version I should have used instead?

Logfile of HijackThis v1.97.7
Scan saved at 9:00:38 AM, on 8/26/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\ENCOMPASS\ENCMONTR.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\SYSTEM\SYSWB6.EXE
C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMGR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DRWATSON\DESKTOP\DOWNLOADS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find-quick.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find-quick.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://find-quick.com/searchbar.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.kickme.to/msnskins
O1 - Hosts: 204.244.184.143 SafeWeb.com
O1 - Hosts: 204.244.184.143 WWW.SafeWeb.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {b13dace0-b261-11d7-a760-0080c6ea363e} - C:\WINDOWS\APPLICATION DATA\KSTCKCRDWC.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: uooocreaztr - {b13dace1-b261-11d7-a760-0080c6ea363e} - C:\WINDOWS\APPLICATION DATA\KSTCKCRDWC.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [SYSWB6] SYSWB6
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe "
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [ICSDCLT] c:\windows\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe "
O4 - HKLM\..\RunServices: [SSDPSRV] c:\windows\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Encompass\ENCMONTR.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - Startup: Event Reminder.lnk = c:\PROGRA~1\MINDSC~1\PRINTM~1\PMREMIND.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: RealGuide (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {18B01F09-2965-11D3-9461-00A0C9B1E042} (FunnyVoiceCtl Class) - http://www.kiddonet.com/kiddonet/luvclicks2/FunnyVoice.ocx
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {A2A62F90-6106-11D3-96F3-00105A771372} (KaraokeComCtl Class) - http://www.kiddonet.com/lapware/actmenu/KaraokeAnim/karaokeCom.ocx
O16 - DPF: {E09F6B38-3A0D-11D3-B5E7-0008C7BF61F2} (DetectMN) - http://www.musicnotes.com/download/npmusicn.cab
O16 - DPF: {2CDA4FA9-4A2B-4925-8EB4-61BDDE935A84} (OutlookVerification.vOutlook) - http://www.rogershelp.com/smtp/voutlook.cab
O16 - DPF: ConferenceRoom Java Client - http://chat.musiccity.com/java/cr.cab
O16 - DPF: {6D655755-EB1B-11D5-A74F-0008C7DA2EA8} (prjRemMail.ctlRemMail) - http://www.rogershelp.com/remmail.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: {F0230524-9D39-4E84-8452-41C592961EA7} (Installer Class) - http://www.tradeexit.com/Config.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37867.2405787037
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnview95.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {3FC76754-41A5-11D2-9370-00A0C9B1E042} (ColoringCtl Class) - http://www.kiddonet.com/lapware/actmenu/coloring/Coloring.ocx
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - https://vhost.oddcast.com/admin/hostClientIE.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (FormFlow Form Control) - https://www.cbs.gov.on.ca/obra/forms/Codebase/FormCtl.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://data6.archives.ca/mrsidi_cab/MrSIDI.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://www.bramptonmaps.ca/bramptonwebsite/acgm/Acgm.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

Newt · 2004/08/26

The infection you have (and one that spybot/ad-aware don't see) is sorta tricky to get rid of properly so I'll let that wait on one of the experts.

Your Hijackthis version is fairly out-of-date so when they tell you to post a new log after doing the suggested fixes, download 1.98.x (1.98.2 I think) from quicklinks (in my signature) and replace the version you have now. But no need for a new log before fixing some stuff so just go with what you have posted for now.

steelwool · 2004/08/27

Newt: What do you think the name of the infection is? Do you mean a virus or spyware?

Newt · 2004/08/27

A piece of really pervasive spyware called lop.com that you gave yourself when you installed Messenger Plus! 2 is there and I'm thinking that
O3 - Toolbar: uooocreaztr - {b13dace1-b261-11d7-a760-0080c6ea363e} - C:\WINDOWS\APPLICATION DATA\KSTCKCRDWC.DLL
may mean more of the coolweb stuff.

Problem is the authors of this paricular brand of junk are smart and they keep changing things around so you can't just remove what the log shows and you have to be real current on security to spot exactly which variant to know what else is probably there.

Giving a partial clean-up instruction would only serve to make it harder to find all the pieces.

Dave, Lonnie, Mark, and several others do stay up-to-date and I am really hoping one of them will look in and give you specifics.

Meanwhile, none of these things are doing any lasting damage to your system; just slowing things up.

Newt · 2004/08/27

Run Hijackthis (the new version 1.98.2) and check these for removal:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find-quick.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find-quick.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://find-quick.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.kickme.to/msnskins
O1 - Hosts: 204.244.184.143 SafeWeb.com
O1 - Hosts: 204.244.184.143 WWW.SafeWeb.com
O2 - BHO: (no name) - {b13dace0-b261-11d7-a760-0080c6ea363e} - C:\WINDOWS\APPLICATION DATA\KSTCKCRDWC.DLL
O3 - Toolbar: uooocreaztr - {b13dace1-b261-11d7-a760-0080c6ea363e} - C:\WINDOWS\APPLICATION DATA\KSTCKCRDWC.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe "
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html

Note that any in green are not spyware or any other intrinsically bad app. They are items that do not need to launch when you start your PC and that do take system resources for no real benefit so I'd remove them but it is optional.

O4 - HKLM\..\Run: [SystemTray] Systray.Exe - really not sure about this one. On an NT system it would certainly be a baddie trying to hide. On 9X, it may be perfectly legit so hold off on doing anything right now.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:6711 - Unless you happen to know you are using this proxy server (and set it up or let a program set it up) get rid of it.
O4 - HKLM\..\Run: [SYSWB6] SYSWB6 - If you are running we-blocker (content filter) then this one is fine. Otherwise, maybe more work to do.
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Encompass\ENCMONTR.EXE - if you got the Encompass Yahoo brower because you wanted it, no problem. Otherwise remove this entry and then add/remove and get rid of the application.
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet - if you run Yahoo Messenger and want it to launch at startup (not required but convenient if you use it a lot) leave this alone. Otherwise remove it.

Now go to add/remove programs and uninstall Messenger Plus!

Download and run CWShredder with the 'fix' option.

Reboot then run another HJT scan and post the results.

broni · 2004/08/27

O4 - HKLM\..\Run: [SystemTray] Systray.Exe
TWO possibilities here:
1. SYSTRAY.EXE - System Tray Services. Provides the Volume Control, PC Card Status, Power Management and other icons that reside in the System Tray . SYSTRAY.EXE may be disabled if none of these services are required. It will launch as and when required if you later enable the icons. If you need these items they're available via Start -> Settings -> Control Panel
The following icons provided by Systray.exe may appear on the taskbar:
Battery Meter
PC Card Status
Volume Control
Quickres
Task Scheduler
Other parts of the system may provide additional taskbar icons. For example:

* Windows Explorer provides the printer status icon
* Microsoft Exchange or Microsoft Outlook provides the mail status icon
* The Accessibility status indicator program (Accstat.exe) displays keyboard accessibility icons
* Microsoft Fax adds the Fax Rendering and Fax Status icons
If you have most of those icons in your systray, then SYSTRAY.EXE is a legit file. See below, how to find out.

2. Added as a result of the ALADINZ.P VIRUS! Note - this is not the valid System Tray (systray.exe) which resides in C:\Windows\System (Win9x/Me), C:\Winnt\System32 (WinNT/2K) or C:\Windows\System32 (WinXP). If you right-click on the real systray.exe the "Properties" reveal it to be a Microsoft file

Newt · 2004/08/27

Thanks for the info broni. My best understanding is that NT systems (NT4/2K/XP/2K3) absolutely will not have this entry showing in a HJT scan even when all the usual systray apps are alive and well so if it shows up, it's a baddie. I just wasn't sure about 9X/ME systems.

steelwool · 2004/08/28

Thanks so much for the help so far. I'd just like to ask if I can get further info on one of the recommended entries to check off: R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:6711. You recommend I get rid of this unless I happen to know I'm using this proxy server. I actually don't know why I have this but wondering if it has something to do with the We-Blocker program I'm running?? Or is it anything to do with that SafeWeb.com entry, which I also had no idea what that was but I found some info on it that apparently it was supposed to allow users to connect through the safeweb.com server to protect users privacy .... so would this mean it's a proxy server ???

Newt · 2004/08/28

It certainly could be that and Safeweb.com could be something you signed up for on purpose or that the parental control program set up for you. In that case, leave the proxy server and the host file entries alone but at some point you might want to check with their tech support and make sure.

Lonny Jones · 2004/08/28

Fix these also

O16 - DPF: {F0230524-9D39-4E84-8452-41C592961EA7} (Installer Class) - http://www.tradeexit.com/Config.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/f...etup1.0.0.6.cab

and any other O16 - your not sure about.

Post another log but with hijackthis 1.98.2 please
http://radiosplace.com/

Newt · 2004/08/28

Thanks for that Lonnie.

And I really like your new 'computer experience' entry. Wonderful.

broni · 2004/08/28

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:6711.
Click to expand...

Usually those entries are safe.

steelwool · 2004/08/29

2nd log

Thanks for all your help so far. Also ran CWShredder and didn't find any infections.

Logfile of HijackThis v1.98.2
Scan saved at 5:36:45 PM, on 8/29/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\SYSWB6.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMGR.EXE
C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMON.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O1 - Hosts: 204.244.184.143 SafeWeb.com
O1 - Hosts: 204.244.184.143 WWW.SafeWeb.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [SYSWB6] SYSWB6
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe "
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [ICSDCLT] c:\windows\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] c:\windows\SYSTEM\ssdpsrv.exe
O4 - Startup: Event Reminder.lnk = c:\PROGRA~1\MINDSC~1\PRINTM~1\PMREMIND.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0819.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0819.DLL
O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {18B01F09-2965-11D3-9461-00A0C9B1E042} (FunnyVoiceCtl Class) - http://www.kiddonet.com/kiddonet/luvclicks2/FunnyVoice.ocx
O16 - DPF: {A2A62F90-6106-11D3-96F3-00105A771372} (KaraokeComCtl Class) - http://www.kiddonet.com/lapware/actmenu/KaraokeAnim/karaokeCom.ocx
O16 - DPF: {E09F6B38-3A0D-11D3-B5E7-0008C7BF61F2} (DetectMN) - http://www.musicnotes.com/download/npmusicn.cab
O16 - DPF: {2CDA4FA9-4A2B-4925-8EB4-61BDDE935A84} (OutlookVerification.vOutlook) - http://www.rogershelp.com/smtp/voutlook.cab
O16 - DPF: ConferenceRoom Java Client - http://chat.musiccity.com/java/cr.cab
O16 - DPF: {6D655755-EB1B-11D5-A74F-0008C7DA2EA8} (prjRemMail.ctlRemMail) - http://www.rogershelp.com/remmail.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnview95.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {3FC76754-41A5-11D2-9370-00A0C9B1E042} (ColoringCtl Class) - http://www.kiddonet.com/lapware/actmenu/coloring/Coloring.ocx
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - https://vhost.oddcast.com/admin/hostClientIE.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (FormFlow Form Control) - https://www.cbs.gov.on.ca/obra/forms/Codebase/FormCtl.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://data6.archives.ca/mrsidi_cab/MrSIDI.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://www.bramptonmaps.ca/bramptonwebsite/acgm/Acgm.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

broni · 2004/08/29

O1 - Hosts: 204.244.184.143 SafeWeb.com
O1 - Hosts: 204.244.184.143 WWW.SafeWeb.com
Fix both. "www.safeweb.com" is one of Symantec web pages dedicated to "Safeweb" technology, but it doesn't matches numeric address:204.244.184.143, which belongs to "www.safe.com"

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
Did you right click on that file to see if it's Microsoft file?

O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
Windows Update Critical Update Notification. This will appear in your Task List if you did a Windows Update at some stage and installed the "Critical Update Notification" component. In some versions this process is scheduled to run every 5 minutes and you cannot change the schedule
Recommendation :
Do not walk, run to your "Add/Remove Programs" icon in the Control Panel and immediately de-install Microsoft Windows Critical Updates Notification. The consequences of some Microsoft Critical Updates have been such that the last thing you need is something to remind you, and therefore entice you to update your Windows environment with the very latest bug fix (which is what critical updates really are) from Microsoft. It is not just that some of those updates have been quite simply disastrous, it is also that too often for our liking, the full consequences of installing some of those updates are not always clearly spelt out by Microsoft. Yes, some of those updates are needed from a security point of view, but in 98% of cases if you either run a good firewall or your PC is configured securely, then you are protected anyway, so do not fix what doesn’t need fixing. It is best that you simply do a Windows Update once every two or three months, say, and only at times when you do not require your PC urgently in the following 24 hours ! Finally, quite aside from the above, WUCRTUPD is also sometimes responsible for illegal operations, 3-seconds mouse freezes, WULOADER error messages, and Invalid Page Faults in KERNEL32.

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Windows 98 "Power Management" is a faulty feature, so you'll do better without it, as it may cause all kind of errors, and conflicts. Go to "msconfig/Startup?, and uncheck TWO identical entries: "LoadPowerProfile "

O4 - HKLM\..\Run: [LexStart] lexstart.exe
This program is installed by some of the older Lexmark printer drivers. Sometimes required for the printer to work correctly - not in the case of a Lexmark Z42 for instance. The program can cause extremely severe slow-downs. It can also cause your PC to dial out on boot up ! Your best shot would be to de-install the printer driver by deleting all copies of the printer from the Printers folder, and answering "Yes" to the "Do you want to remove all files?" question. Additionally, but only if you are a Technically Advanced User, also delete all LEX*.* files from C:\Windows\System. Then uncheck above entry in "msconfig/startup ". Finally, go to Lexmark web site, and download the latest driver for your printer. For most models the new all-models-in-1 Lexmark driver no longer makes use of this program. Even when it does, the updated driver has a LEXSTART which behaves !

O4 - HKLM\..\Run: [ICSDCLT] c:\windows\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient
Internet Connection Sharing allows more than one computer to simultaneously access the internet with a single connection. Also required when networking two machines. Is it your case?

O4 - HKLM\..\Run: [LoadQM] loadqm.exe
Installed with MSN Explorer and loads the MSN Queue Manager. Required to enable the WU AutoUpdate feature. Note that disabling this can sometimes prevent internet sharing working on Win2K Pro SP2. Reports also suggest that removing it will re-enable internet access - hence the "users choice" recommendation. If you have problems leave it, otherwise I recommend you disable it

O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
Not needed at startup. Available via Start -> Programs, or you can create a desktop shortcut.

O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
MS Scheduling Agent displayed as a box with a stopwatch in the System Tray that is only needed if you have regular scheduled disk defragmenting, ScanDisk, etc.

O4 - HKLM\..\RunServices: [SSDPSRV] c:\windows\SYSTEM\ssdpsrv.exe
If you are using standard Plug and Play devices, you do not need this program. You can de-install it by un-selecting "Universal Plug and Play" in "Add/Remove Programs \ Windows Setup tab \ Communications ".

O4 - Startup: Event Reminder.lnk = c:\PROGRA~1\MINDSC~1\PRINTM~1\PMREMIND.EXE
A calendar/alarm program that installs with BrÃ¸derbund Printmaster. Do you use it?

steelwool · 2004/08/30

Broni,
This is an amazing amount of information...thank you so much for all the time you've taken as well as the others who have responded. I have taken your advice & immediately removed Critical Update Notification. I don't know if it's some kind of coincidence or not, but immediately after uninstalling it, my internet was much slower...after awhile it got a little better, but is still having problems intermittently to load pages. When I uninstalled it from Control Panel, I didn't get any message at all like "preparing to uninstall "...it just immediately disappeared from the list. So I'll see how things go in the next few days.

I'd like to ask some more info on some of the other items though.

O4 - HKLM\..\Run: [LoadQM] loadqm.exe - do I disable this in msconfig?

O4 - Startup: Event Reminder.lnk = c:\PROGRA~1\MINDSC~1\PRINTM~1\PMREMIND.EXE - No I don't ever use this....do I disable it in msconfig?

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe - Yes, I did right click this and it says Copyright Microsoft Corp 4.10.2222

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme - Also found elsewhere that it is user choice whether or not to disable this one depending on whether or not you modified the default settings .... I think I did change the default but don't remember why except I think I was having problems so thought the System Stand-by feature might be causing problem so I shut it off completely.... will there be any problem now if I disable it?

O4 - HKLM\..\Run: [LexStart] lexstart.exe - "de-install the printer driver by deleting all copies of the printer from the Printers folder "....do I delete the printer through Windows Explorer or Settings/Control Panel/Printers ?

O4 - HKLM\..\Run: [ICSDCLT] c:\windows\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient - Yes I'm networking two PCs.

O1 - Hosts: 204.244.184.143 SafeWeb.com
O1 - Hosts: 204.244.184.143 WWW.SafeWeb.com
"Fix both. "www.safeweb.com" is one of Symantec web pages dedicated to "Safeweb" technology, but it doesn't matches numeric address:204.244.184.143, which belongs to "www.safe.com" .... What is a host ??? I have not ever signed up for anything from www.safe.com ? is this some kind of spyware ?

Newt · 2004/08/30

steelwool said:

O1 - Hosts: 204.244.184.143 SafeWeb.com
O1 - Hosts: 204.244.184.143 WWW.SafeWeb.com
"Fix both. "www.safeweb.com" is one of Symantec web pages dedicated to "Safeweb" technology, but it doesn't matches numeric address:204.244.184.143, which belongs to "www.safe.com" .... What is a host ??? I have not ever signed up for anything from www.safe.com ? is this some kind of spyware ?
Click to expand...

I'll answer this one piece since it's a fairly common sort of evil deed.

Hosts (no file extension) is a normal file on almost any operating system and Unix was using it some years before any Microsoft stuff could do networking.

Hosts is a text file and located differently depending on the OS version you run. Normal Microsoft locations are:
Win 98\ME = C:\WINDOWS
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC

The file serves to speed up matching ip address to site name/computer name and the OS will always check it first to find a name/address match. If one is found, no further checking will be done. So for instance, while the actual IP address of Apple.com is 17.254.3.183, if I ran a bad site at 104.26.33.208 and wanted to force people to go to it, a hosts entry
104.26.33.208 apple.com
would direct the PC to my site when the user wanted to go to the Apple site.

The file itself is normal and can be very useful. Certain baddies will make nasty changes without asking you about it.

Easiest solution is to clean up the hosts file and then lock it so it cannot be changed. If you need to make modifications you just unlock it.

Spybot and quite a few other security programs offer the option to lock and unlock the file.

steelwool · 2004/08/30

Thanks Newt for the tip about Spybot offering option to lock Host file. I checked my Spybot and I already did have Host file lock on, but I had no idea what this meant when I ticked it off.
But also looked in Spybot's Host database, and SafeWeb.com 204.244.184.143 and WWW.SafeWeb.com are listed as baddies.

So I'll go ahead and Fix both with Hijack This & then I'll enable Spybot to block any bad Host sites in the future as I didn't have this feature turned on.

broni · 2004/08/30

I have taken your advice & immediately removed Critical Update Notification. I don't know if it's some kind of coincidence or not, but immediately after uninstalling it, my internet was much slower
Click to expand...

It must be a coincidence. I see no other explanation. What kind of connection do you have?

O4 - HKLM\..\Run: [LoadQM] loadqm.exe - do I disable this in msconfig?
Yes.

O4 - Startup: Event Reminder.lnk = c:\PROGRA~1\MINDSC~1\PRINTM~1\PMREMIND.EXE - No I don't ever use this....do I disable it in msconfig?
It should be uninstallable through Add/Remove. If it's not listed there, disable in msconfig. I don't want you to delete anything by hand from "Printmaster" directory, since it may have some impact on that program. You'll just have few KB of unnecessary files. Better, then screwing a whole program.

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe - Yes, I did right click this and it says Copyright Microsoft Corp 4.10.2222
You are fine here, then.

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme - Also found elsewhere that it is user choice whether or not to disable this one depending on whether or not you modified the default settings .... I think I did change the default but don't remember why except I think I was having problems so thought the System Stand-by feature might be causing problem so I shut it off completely.... will there be any problem now if I disable it?
As I said, this belongs to M$ junkyard, since it cause problems, and does nothing good in exchange. It was mostly designed for old time monitors, which screens could get burned out (some pixels) by staying at same picture display. But it's an ancient history.
You can check your actual settings by going to Control Panel, and double clicking on "Power Management ", but if you disable both "LoadPowerProfile" entries in msconfig, it doesn't matter, because it won't load those settings anymore.

O4 - HKLM\..\Run: [LexStart] lexstart.exe - "de-install the printer driver by deleting all copies of the printer from the Printers folder "....do I delete the printer through Windows Explorer or Settings/Control Panel/Printers ?
By Control Panel, but before you do it, what kind of Lexmark printer do you have, and how old it is?

O4 - HKLM\..\Run: [ICSDCLT] c:\windows\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient - Yes I'm networking two PCs.
OK

O1 - Hosts: 204.244.184.143 SafeWeb.com
O1 - Hosts: 204.244.184.143 WWW.SafeWeb.com
"Fix both. "www.safeweb.com" is one of Symantec web pages dedicated to "Safeweb" technology, but it doesn't matches numeric address:204.244.184.143, which belongs to "www.safe.com" .... What is a host ??? I have not ever signed up for anything from www.safe.com ? is this some kind of spyware ?
This is pretty safe shot, because Windows will rebuild "hosts" file, no matter what you do to it, and there is no issue about your computer stop working, or that kind of stuff.
I suspect here a web page hijacker, since "www.safeweb.com" should match numeric address, listed to the left: "204.244.184.143 ". But it doesn't. "204.244.184.143" belongs to "www.safe.com ", which means, every time, you type "www.safeweb.com" in your address bar, you'll be redirected to "www.safe.com ". You can safely try it, no harm done, and you'll see by yourself, if I'm correct. So, if it happens.....fix both entries.

steelwool · 2004/09/01

broni said:

It must be a coincidence. I see no other explanation. What kind of connection do you have?
Click to expand...

Internet speed ok now...must have just been a coincidence.

broni said:

O4 - HKLM\..\Run: [LexStart] lexstart.exe - "de-install the printer driver by deleting all copies of the printer from the Printers folder "....do I delete the printer through Windows Explorer or Settings/Control Panel/Printers ?
By Control Panel, but before you do it, what kind of Lexmark printer do you have, and how old it is?
Click to expand...

Have a Lexmark X75. Installed printer driver that came with printer when bought a year ago. Also installed this driver on my other PC and the HJT log for that PC doesn't have this entry. I may have possibly had an older Lexmark installed at one time and maybe all files were removed except this lexstart.exe ?

broni said:

O1 - Hosts: 204.244.184.143 SafeWeb.com
O1 - Hosts: 204.244.184.143 WWW.SafeWeb.com
This is pretty safe shot, because Windows will rebuild "hosts" file, no matter what you do to it, and there is no issue about your computer stop working, or that kind of stuff.
I suspect here a web page hijacker, since "www.safeweb.com" should match numeric address, listed to the left: "204.244.184.143 ". But it doesn't. "204.244.184.143" belongs to "www.safe.com ", which means, every time, you type "www.safeweb.com" in your address bar, you'll be redirected to "www.safe.com ". You can safely try it, no harm done, and you'll see by yourself, if I'm correct. So, if it happens.....fix both entries.
Click to expand...

Strange but when I type in "www.safeweb.com" in address bar, it doesn't go to that site....takes awhile and then "page cannot be displayed" "cannot find server" and again, on refresh. But Spybot lists this as bad site it scans for but it didn't find it on my PC. But I also just saw some MyWebSearch files on my PC which Spybot didn't detect. So I'm going to uninstall Spybot and re-install it again.
Thanks again for all the time you've spent helping me out.
AND HOPE YOU HAVE A HAPPY BIRTHDAY !!!!

broni · 2004/09/01

Thank you for birthday greetings

when bought a year ago. Also installed this driver on my other PC and the HJT log for that PC doesn't have this entry.
Click to expand...

You can proceed, then with my advice.

Strange but when I type in "www.safeweb.com" in address bar, it doesn't go to that site....takes awhile and then "page cannot be displayed" "cannot find server "
Click to expand...

It's strange, because I have no problem logging to "www.safeweb.com ", or "www.safe.com ". You may try at different time. Regardless, I would kill those two entries.

Log in or Sign up

Browser Hijacker

steelwool Inactive Thread Starter

Newt Inactive

steelwool Inactive Thread Starter

Newt Inactive

Newt Inactive

broni Moderator Malware Analyst

Newt Inactive

steelwool Inactive Thread Starter

Newt Inactive

Lonny Jones Inactive Alumni

Newt Inactive

broni Moderator Malware Analyst

steelwool Inactive Thread Starter

broni Moderator Malware Analyst

steelwool Inactive Thread Starter

Newt Inactive

steelwool Inactive Thread Starter

broni Moderator Malware Analyst

steelwool Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Browser Hijacker

steelwool Inactive Thread Starter

Newt Inactive

steelwool Inactive Thread Starter

Newt Inactive

Newt Inactive

broni Moderator Malware Analyst

Newt Inactive

steelwool Inactive Thread Starter

Newt Inactive

Lonny Jones Inactive Alumni

Newt Inactive

broni Moderator Malware Analyst

steelwool Inactive Thread Starter

broni Moderator Malware Analyst

steelwool Inactive Thread Starter

Newt Inactive

steelwool Inactive Thread Starter

broni Moderator Malware Analyst

steelwool Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches