Unsolved
This post is more than 5 years old
73 Posts
0
8259
June 8th, 2004 00:00
HIJACK THIS LOG
My friend is having a lot of complications on her computer and the AVG scan has deteted about 30 viruses. 4 viruses which cannot be healed or deleted. All the viurses are in the AVG vault. I also ran spybot and adware on her computer. Adware detected about 150 malware, but I wasnt sure which files to delete. I have included logs from AVG and hijackthis. Can someone let me know which files i need to delete from hijack this and AVG. I would greatly appreciate if seomone can help me out. thank you
This is the 4 files that AVG cannot delete:
C:\Program Files\INTERN~2\ACTALERT.EXE Trojan horse Downloader.Dyfica.2.I
C:\Program Files\INTERN~2\OPTIMIZE.EXE Trojan horse Downloader.Istbar.3.BE
C:\Program Files\ISTSVC\ISTSVC.EXE Trojan horse Downloader.Istbar.3.AW
C:\Program Files\LYCOS\IEAGENT\LOADER.EXE Trojan horse Downloader.Small.4.BQ
THIS IS THE COMPLETE TEST FROM AVG:
Results of Complete Test, date and time 6/7/2004 19:10:58 :
Testing C:\ serial E0F9-B620
C:\HIBERFIL.SYS Cannot open; not checked!
C:\Documents and Settings\GEORGE\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\GEORGE\ntuser.dat.LOG Cannot open; not checked!
C:\Documents and Settings\GEORGE\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\GEORGE\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\Documents and Settings\LocalService\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\LocalService\ntuser.dat.LOG Cannot open; not checked!
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\Documents and Settings\NetworkService\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Cannot open; not checked!
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\Program Files\INTERN~2\ACTALERT.EXE Trojan horse Downloader.Dyfica.2.I
C:\Program Files\INTERN~2\OPTIMIZE.EXE Trojan horse Downloader.Istbar.3.BE
C:\Program Files\ISTSVC\ISTSVC.EXE Trojan horse Downloader.Istbar.3.AW
C:\Program Files\LYCOS\IEAGENT\LOADER.EXE Trojan horse Downloader.Small.4.BQ
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0001683.EXE repaired
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0001684.DLL repaired
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0001685.EXE repaired
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0001686.EXE Trojan horse Downloader.Agent.AS
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0001687.EXE Trojan horse Downloader.Small.5.Y
C:\WINDOWS\SYSTEM32\AWKYGNNE.EXE Cannot open; not checked!
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Cannot open; not checked!
Test finished, duration 00:21:07.9 s
16341 objects tested, 9 found infected
THIS IS MY LOG FROM HIJACK THIS:
Logfile of HijackThis v1.97.7
Scan saved at 7:54:15 PM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\AVGANT~1\avgserv.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\documents and settings\george\local settings\temp\GYk7.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\sysupd.exe
C:\AVGANT~1\avgcc32.exe
C:\ZoneAlarm\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\INHELPW.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://go.microsoft.com/fwlink/?LinkId=488
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\spybot\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [GYk7] C:\documents and settings\george\local settings\temp\GYk7.exe
O4 - HKLM\..\Run: [zmwaixdfpj] C:\WINDOWS\System32\awkygnne.exe
O4 - HKLM\..\Run: [ijqf] C:\WINDOWS\ijqf.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [AVG_CC] C:\AVGANT~1\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\ZoneAlarm\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [INHELPW] C:\WINDOWS\System32\INHELPW.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\spybot\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38145.726087963
Grinler
151 Posts
0
June 8th, 2004 01:00
Download CWShredder from the below link and unzip it into a directory. Start CWShredder and click on the FIx button to have it remove all CWS infections it finds.
Download CWShredder from:
http://www.merijn.org/files/cwshredder.zip
After you download the program, unzip it into a directory. Make sure all browser windows are closed and double click on the cwshredder.exe to start the program. When the program is loaded click on the "Check for Update" button, and if it finds an new version it will download it. You should then double click on cwshredder.exe again and click on the "FIX" button (not the "Scan only" button) and let it scan your computer.
To get the best results it is recommended that you run it in safe mode. Reboot windows and press F8 at boot/windows startup, usually right after the beep. Then select safe mode.
A tutorial that goes over this process step by step can be found here:
How to remove CoolWebSearch with CoolWeb Shredder
Once that is completed you should follow these steps in order to clean your computer of Malware which can include Viruses, Trojans, Worms, Spyware, Hijackers and Dialers
Step 1:
Download Spybot and Adaware from the following locations and install them. You should run both programs and clean up what it finds. This is to gaurantee that you find the most malware you can installed on your computer.
Before running the scans on both programs, it is mandatory that you update the programs. There are update options in each program when you run them.
Spybot
Ad-aware
If you would like to learn more about how to use these two programs with the proper settings you can read the tutorials below:
AD-AWARE - Using Ad-aware to remove Spyware/Hijackers from Your Computer.
SPYBOT SEARCH AND DESTROY - Using Spybot - Search & Destroy to remove Spyware from Your Computer.
When you scan with both programs, fix everything that it finds.
When you are done with the scan and fixing the items. Please continue with the next step.
Step 2:
It is important that you run Spybot and Adaware before you proceed with this step. Fixing enties with Hijackthis may leave behind unwanted files on your computer if the previous step was not done first.
Create a directory on your hardrive to save HijackThis.exe. A directory like c:\hijackthis. If you do not do this, you will not be able to use the backup/restore features.
Download HijackThis from:
HijackThis
Save this file into the directory you made previously and then run the program. Click on the Scan button and when it is finished click on the Save Log button. A Notepad window will open with the contents of this log. Click on Edit then click on Select all. Then click on Edit and then Click on Copy.
Create a reply to this post, and right click in message area and select paste to paste the log into the post.
Someone will reply to you after reading this post. DO NOT fix any entries unless you understand what you are doing.
To see a tutorial on using HijackThis you can click on the link below:
HijackThis - Using HijackThis to Remove Spyware, Browser Hijackers, and Dialers
jlu
73 Posts
0
June 8th, 2004 02:00
Thanks for the quick response. Okay I ran cwshredder on safe mode, then i ran adware and spybot. But there is one entry in spybot which cant be removed. I restarted the computer also and it still cannot be removed. this is my hijack log:
Logfile of HijackThis v1.97.7
Scan saved at 10:24:57 PM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\AVGANT~1\avgserv.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\documents and settings\george\local settings\temp\GYk7.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\AVGANT~1\avgcc32.exe
C:\ZoneAlarm\ZoneAlarm\zlclient.exe
C:\WINDOWS\sysupd.exe
C:\WINDOWS\System32\_1252C.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://go.microsoft.com/fwlink/?LinkId=488
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\spybot\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [GYk7] C:\documents and settings\george\local settings\temp\GYk7.exe
O4 - HKLM\..\Run: [zmwaixdfpj] C:\WINDOWS\System32\awkygnne.exe
O4 - HKLM\..\Run: [AVG_CC] C:\AVGANT~1\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\ZoneAlarm\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [_1252C] C:\WINDOWS\System32\_1252C.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38145.726087963
Grinler
151 Posts
0
June 8th, 2004 02:00
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O4 - HKLM\..\Run: [GYk7] C:\documents and settings\george\local settings\temp\GYk7.exe
O4 - HKLM\..\Run: [zmwaixdfpj] C:\WINDOWS\System32\awkygnne.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [_1252C] C:\WINDOWS\System32\_1252C.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
Reboot your computer into Safe Mode and delete the following files:
Then delete these files or directories
C:\documents and settings\george\local settings\temp\GYk7.exe
C:\WINDOWS\System32\awkygnne.exe
C:\WINDOWS\sysupd.exe
C:\WINDOWS\System32\_1252C.exe
C:\PROGRAM FILES\CLOCKSYNC
Disable System Restore. You can find instructions on how to enable and reenable system restore here:
Windows XP System Restore Guide
Renable system restore with instructions from tutorial above
Reboot your computer to go back to normal mode and post a new log.
jlu
73 Posts
0
June 8th, 2004 03:00
I did a completely new virus scan and it tells me it detected a new virus and this is where is located:
C:\RECYCLER\S-1-5-21-3760460158-1108853259-1819737574-1007\DC192.EXE Trojan horse Downloader.Agent.AS
There are also other virus files stored on my avg virus vault and these are just a few examples of where they are located:
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0001683.EXE
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0001684.DLL
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0001685.EXE
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0001686.EXE C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0001687.EXE
if i were to delete all of them ( about 20 ) would this cause any problems to my computer?
jlu
73 Posts
0
June 8th, 2004 03:00
ok here is my new log. When I first ran hijackthis I made sure i deleted the files you told me to especially this one:
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
but after rebooting and doing hijack again to post, i found the above file on the hijack log. So i fixed it again and rebooted for the second time and now this is my new hijiack log. I hope this file doesnt keep coming up on my computer in the near future. Let me know what else i need to do.
Logfile of HijackThis v1.97.7
Scan saved at 11:24:46 PM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\AVGANT~1\avgcc32.exe
C:\ZoneAlarm\ZoneAlarm\zlclient.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\AVGANT~1\avgserv.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://go.microsoft.com/fwlink/?LinkId=488
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\spybot\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [AVG_CC] C:\AVGANT~1\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\ZoneAlarm\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38145.726087963
jlu
73 Posts
0
June 8th, 2004 03:00
Also there are a lot of files in my AVG virus vault..should I just delete all of them?
Texruss
3.4K Posts
0
June 8th, 2004 03:00
I'll interject here for Grinler since he's offline and I did get several PMs from you before Grinler handled your problems admirably. Way to go both of you!
The entry for the deleted item occurs now and again...good followup by you. Perhaps Grinler will share some tips on this as he has a very good tutorial on Hijackthis at bleepingcomputer.com.
Yes...just saw your second post...purge the quarantined files in AVG.. I never let mine even get to quarantine in NAV (reminds me I need to finish that web tutorial explaining how Norton drops the ball on their dumb lockstep options for quarantine versus deletion option).
Also..reflush your Restore Points like Grinler suggested:
After the final all clear is given by us you should flush your Restore Points for XP. That means disabling the Restore Point, rebooting to flush it, then re-enabling a new Restore Point. The reason why we need to do this is to purge the bad files hidden in System Restore which can't be cleaned by your antivirus programs.
See FAQ 12 here: http://www.russelltexas.com/malware/faqhijackthis.htm
Here's how to stay clean like us.
You look clean and hearty congratulations!
1. The main cleanup programs:
(the three free programs in Items 2 and 3 bolded below are a MUST in my opinion)
Spybot Search&dDestroy, Ad-aware Run weekly - or after a heavy internet session.
Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.
Follow the directions in this detailed guide for Spybot and Adaware...go slow on the directions for the custom setup of Adaware:
http://www.cjwd.demon.co.uk/spybot-adaware.html
I also like to run Windows Disk Cleanup after cleaning with those two tools. Make sure you reboot if any reboot cleanup functions of Spybot and Adaware are advised by these tools (this may happen at the end of their cleanup).
Reboot and click on Start/Run/ type: cleanmgr
If you have problems with Disk Cleanup hanging and not completing see this page for XP users:
http://support.microsoft.com/default.aspx?scid=kb;en-us;812248
Or try this fix: http://www2.whidbey.net/djdenham/DeleteOldFiles.htm
From MS Help: "Disk Cleanup helps free up space on your hard drive. Disk Cleanup searches your drive, and then shows you temporary files, Internet cache files, and unnecessary program files that you can safely delete. You can direct Disk Cleanup to delete some or all of those files."
I check all the selected categories and click OK at the end of Disk Cleanup.
If you have any problems with Disk Cleaner completing...XP users can fix it here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;812248
Or try this fix: http://www2.whidbey.net/djdenham/DeleteOldFiles.htm
2. Proactive programs: Spywareblaster & Spywareguard, first sets kill bits to stop known bad MSIE ActiveX scripts from installing, second acts like your AV to stop browser hijacks and installing of known baddies.
3. IE-Spyad, puts 4000 bad sites in your restricted (banned) sites list, to stop you accidentally getting sent to a bad site, it has optional list of "bad" adult sites to install as well.
Links for these at: http://www.cjwd.demon.co.uk/compsafetyonline.html
4. Don't forget keeping Windows updated. The automatic updates frequently fail so run it manually once a week or when new updates are publicized.
Windows Live Update Page
http://v4.windowsupdate.microsoft.com/en/default.asp
Free Windows Security CD (for those who qualify):
www.microsoft.com/security/protect/cd/order.asp
You can also start Windows Update by running Internet Explorer, pulling down Tools on top Menu bar and selecting Windows Update. Install ALL critical updates! Always!
If LiveUpdate fails (and it is prone to on MANY machines) download each patch manually from the MS advisory pages and install manually. Works for me!
5. Keep your antivirus updated.
Free AVG Antivirus for home users: http://www.grisoft.com
6. Beg, borrow, or buy a Software Firewall if at all possible. I use Norton Internet Security 2004 and it has saved my bacon more times than I can count. For a free software firewall turn on the fairly lame firewall in Windows XP (I say it is lame because it does not monitor or block outgoing traffic...only incoming...a serious omission if the threat occurs inside your network). Hopefully with the upcoming Service Pack 2 this flaw will be addressed.
http://www.microsoft.com/technet/community/columns/5min/5min-101.mspx#XSLTsection125121120120
A better choice for now for a free software firewall is Zone Alarm.
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp
7. Practice safe computer habits. Don't click on strange email attachments thinking your AV will defend you. Usually it will. Sometimes it won't when a new virus hits the Net and definitions take hours to create by the AV vendors. There is only one defense that works 100% for the safe protection of your machine's personal data and that is timely and accurate backups of your files. Hard drives die, viruses ruin your files, and other bad things can happen (fire, theft, etc..). Offsite backups are the best.
8. Don't forget our great analysis tool Hijackthis. We have a lot of gratitude we need to show towards the author Merijn. I hope he does great things in his future endeavors and is richly rewarded for his time and expertise in providing this super program.
Hijackthis (to analyse your system and submit a log file to expert forums):
http://tomcoyote.com/hjt
(for Hijackthis logs...please copy to and run Hijackthis.exe into a new folder you create in the root level of the C: drive. Name this folder HJT for best and safest results). (don't put in a Local Settings Temp folder, or the Windows desktop, etc...as it needs a safe folder to keep backup logs). Also when XP and W2K users post here and place it in the Local Settings, the log usually shows their full name since their Windows user profile is commonly named with their full name. We try not to disturb your privacy. *;-)
See this link for graphical instruction: http://russelltexas.com/malware/faqhijackthis.htm
Forums for help and analysis of your Hijackthis logfile:
http://forums.us.dell.com/supportforums
http://forums.tomcoyote.com
http://www.spywareinfo.com/forums
http://www.wilderssecurity.com
http://www.computercops.us/forums.html
http://forums.net-integration.net
http://boards.cexx.org
And I'll now be adding www.bleepingcomputer.com Just registered there myself.
Thanks again Grinler!
Good luck and safe computing!
Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum
Texruss
3.4K Posts
0
June 8th, 2004 04:00
Disk Cleaner and flushing Restore Points will kill those files.
Edit: don't delay on Windows updates...things can go south in a hurry if your patches aren't there. I never even let my new machines get on the Net before I totally patch with CDR-burned patches I downloaded. Big issue now in the corporate and large network world.
Texruss
Message Edited by Texruss on 06-08-2004 12:02 AM
jlu
73 Posts
0
June 8th, 2004 04:00
Grinler and Texruss,
I want to thank you both for helping me out. My friends computer is totally clean...=)..!!
Grinler
151 Posts
0
June 8th, 2004 12:00
As Texruss said, the best method for preventing future infections is to use SpywareBlaster, SpywareGuard, and IE-Spyad. All these are excellent resources for protecting your computer.
If you have the new Spybot - S&D (version 3) installed there is no need for SpywareGuard as the same functions are now found in Spybot's TeaTimer program. So if you have SpywareGuard and Spybot - S& D TeaTimer installed you will get double the prompts and overhead, but really no added protection.
You can find tutorials for using the above 4 products, including the new version of Spybot at the below links:
IE-SPYAD - Using IE-Spyad to enhance your privacy and security.
SPYWAREBLASTER - Using SpywareBlaster to protect your web browser.
SPYWAREGUARD - Using SpywareGuard to protect your computer from Spyware/Hijackers.
SPYBOT SEARCH AND DESTROY - Using Spybot - Search & Destroy to remove Spyware from Your Computer.
I also would possible stay away from Zone Alarm right now. In the past the product has been terrific, but since it's last updates the members of my board have been having quite a bit of problems. If you would perfer not to use ZoneAlarm, then I would consider the free version of Kerio as another excellent alternative.
Glad it all worked out :)
jlu
73 Posts
0
June 8th, 2004 14:00
ok i thought my computer was clean...until i did bitdefender and i found more trojans....!!!!!! ok this is the report that bit defender gave me.....please help, i am soo tierd of sitting in front of this computer.
C:\Documents and Settings\George\Local Settings\Temp\THI3DCF.tmp\twaintec.cab=>twaintec.dll infected: Trojan.Spy.BiSpy.C
C:\Documents and Settings\George\Local Settings\Temp\THI3DCF.tmp\twaintec.dll infected: Trojan.Spy.BiSpy.C
C:\Documents and Settings\George\Local Settings\Temp\THI3DCF.tmp\twaintec.dll unable to disinfect
C:\Documents and Settings\George\Local Settings\Temp\THI65F3.tmp\twaintec.cab=>twaintec.dll infected: Trojan.Spy.BiSpy.C
C:\Documents and Settings\George\Local Settings\Temp\THI65F3.tmp\twaintec.dll infected: Trojan.Spy.BiSpy.C
C:\Documents and Settings\George\Local Settings\Temp\THI65F3.tmp\twaintec.dll unable to disinfect
C:\Documents and Settings\George\Local Settings\Temp\whenu.exe infected: Trojan.Adware.Whenu.B
C:\Documents and Settings\George\Local Settings\Temp\whenu.exe unable to disinfect
C:\Program Files\Windows Media Player\wmplayer.exe.tmp suspect: Trojan.Downloader.Small.Gen
I also included another hijack log file:
Logfile of HijackThis v1.97.7
Scan saved at 11:55:42 AM, on 6/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\AVGANT~1\avgcc32.exe
C:\ZoneAlarm\ZoneAlarm\zlclient.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\AVGANT~1\avgserv.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://go.microsoft.com/fwlink/?LinkId=488
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [AVG_CC] C:\AVGANT~1\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\ZoneAlarm\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38145.726087963
Message Edited by jlu on 06-08-2004 10:53 AM
Message Edited by jlu on 06-08-2004 10:56 AM
Grinler
151 Posts
0
June 8th, 2004 19:00
Delete all files from the temp directory below:
C:\Documents and Settings\George\Local Settings\Temp\
Delete below file as well:
C:\Program Files\Windows Media Player\wmplayer.exe.tmp suspect: Trojan.Downloader.Small.Gen
jlu
73 Posts
0
June 8th, 2004 20:00
OK I went to safe mode and I deleted files from these 2 folders:
C:\Program Files\Windows Media Player\wmplayer.exe.tmp
C:\Documents and Settings\George\Local Settings\Temp\THI65F3.tmp\
I did not delete files from this folder:
C:\Documents and Settings\George\Local Settings\Temp\
cause there are soo many files including hidden files and I wasnt sure if you meant EVERYTHING in that folder. If you are positively sure about deleting everything from this folder then I will go back and do it again. Do u want me to show all the hidden files, when i do delete it? I just want to make sure before i do it...=)
Message Edited by jlu on 06-08-2004 04:32 PM
Grinler
151 Posts
0
June 8th, 2004 20:00
C:\Program Files\Windows Media Player\wmplayer.exe.tmp
Also you should be able to delete all the files found in :
C:\Documents and Settings\George\Local Settings\Temp\
as they are temporary files and are not necessary. If you normally save stuff into that directory, which you shouldnt, then that could be a problem. Otherwise delete all the files found in the temp folder.
dieleafsfansdie
4 Posts
0
June 16th, 2004 01:00
Okay, excuse me for being a totally green, borderline-retarded neophite, but I have done all of the steps up to here and this is the log I got from hijackthis:
Logfile of HijackThis v1.97.7
Scan saved at 6:57:52 PM, on 15/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Trevor Marshall\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Basic - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Basic\popuppro.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKLM\..\RunOnce: [KB837272] "C:\WINDOWS\INF\unregmp2.exe" /UpdateWMP
O4 - HKLM\..\RunOnce: [Q814995] rundll32.exe apphelp.dll,ShimFlushCache
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab
O16 - DPF: {11111111-1111-1111-1234-123423452345} - http://66.117.38.54/dexCA627.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1087335062029
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,74/mcinsctl.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/04749098791885ab0c19/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37892.7340509259
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1008_1034_pack_XP.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4365/mcfscan.cab
I really can't imagine how all of this could possibly make sense to anyone, but if it does some guidance would be very welcome.
thanks