TheTechGuide Forum

General Category => Tech Clinic => Topic started by: bk0566 on March 12, 2005, 09:58:15 PM

Title: WebSiteViewer
Post by: bk0566 on March 12, 2005, 09:58:15 PM

I am running Windows XP Pro and am having trouble removing WebSiteViewer.  I have run AdAware SE and Spybot and a full system scan with Norton AntiVirus 2004 with current virus file, but when I reboot it reinstalls itself.  Not sure what else to do.  I have attached the HiJack this log below.  Thanks in advance for your help...bk0566

Logfile of HijackThis v1.99.1
Scan saved at 9:55:28 PM, on 3/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Microsoft BizTalk Server\MSCIS.exe
C:\Program Files\Microsoft BizTalk Server\XLANG Scheduler\WFSVCMGR.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\WebSiteViewer\125235.dlr
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/chsi.html (http://\"http://www.comcast.net/chsi.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/ (http://\"http://toshibadirect.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.comcast.net/chsi.html (http://\"http://www.comcast.net/chsi.html\")
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [aoawzrobvj] C:\WINDOWS\System32\jonxefa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab (http://\"http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab\")
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} - http://download.35mb.com/images/dlapplet.cab (http://\"http://download.35mb.com/images/dlapplet.cab\")
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsu[censored]a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Title: WebSiteViewer
Post by: guestolo on March 12, 2005, 10:33:06 PM

===Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad, not including the word quote
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop, well need this later, don't run it yet

 

Quote

REGEDIT4

[-HKEY_CURRENT_USER\Software\WebSiteViewer]

Print the rest of this out or save too a notepad file on your desktop

RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")

Access your Add/Remove programs and remove if found
Ebates_MoeMoneyMaker

Find and delete this folder
C:\Program Files\WebSiteViewer <--this folder
C:\Program Files\Ebates_MoeMoneyMaker <--folder

and this file if found
C:\WINDOWS\System32\jonxefa.exe <--this file

Stay in safe mode

Go to START>>RUN>>type in
%temp
Hit OK

In the new window click on EDIT>>Select All
Delete the selected

Do another scan with Hijackthis and put a check next to these entries:

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [aoawzrobvj] C:\WINDOWS\System32\jonxefa.exe

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} - http://download.35mb.com/images/dlapplet.cab (http://\"http://download.35mb.com/images/dlapplet.cab\")

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Double click on fix.reg and allow to merge to the registry

Restart back to Normal mode

Post back a fresh Hijackthis log

Title: WebSiteViewer
Post by: bk0566 on March 12, 2005, 10:56:53 PM

Guestolo,
I followed your instructions.  A couple of notes:
- Ebates_MoeMoneyMaker was not in the add/Remove list
- The Ebates_MoeMoneyMaker folder was not there
- The jonxefa.exe file was not there
- When I did start run %temp was not found
- I did the fix in HiJackThis as you stated
- I ran the registry fix

The WebSiteViewer folder is back after restarting in Normal Mode.  I have attached the new Hijack log below.  Thanks again for the help, let me know what the next steps should be.  bk0566

Logfile of HijackThis v1.99.1
Scan saved at 10:50:35 PM, on 3/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Microsoft BizTalk Server\MSCIS.exe
C:\Program Files\Microsoft BizTalk Server\XLANG Scheduler\WFSVCMGR.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\WebSiteViewer\125235.dlr
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/chsi.html (http://\"http://www.comcast.net/chsi.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/ (http://\"http://toshibadirect.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.comcast.net/chsi.html (http://\"http://www.comcast.net/chsi.html\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab (http://\"http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab\")
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsu[censored]a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Title: WebSiteViewer
Post by: guestolo on March 12, 2005, 11:18:30 PM

I forgot to add in the other % sign, sorry about that
should of looked like this
%temp%

Let's try this instead
==Download and Install this small program
to help clean your temp folders,cookies,prefetch folder, etc...
Windows Cleanup (http://\"http://www.antispyware.nextdesigns.net/installs/cleanup.php?type=exe\")
Install for now, don't run a scan yet

Restart in safe mode

Delete this folder
C:\Program Files\WebSiteViewer

Double click on fix.reg <<allow to merge

Open Windows CleanUp>>START>>All programs>>Cleanup
Click on the CleanUp button, let it finish scanning for files
Restart back to Normal mode

Post back a fresh Hijackthis log afterwards

Title: WebSiteViewer
Post by: bk0566 on March 13, 2005, 07:23:57 AM

Hi Guestolo,

I followed your last instructions and things appear to be getting better. When the machine boots now a dialog appears that says cannot prepare plugin.  The WebSiteViewer folder is still created, but there are no files in it.  Attached is the HiJack log.  Thanks again for the help......bk0566

Logfile of HijackThis v1.99.1
Scan saved at 7:19:14 AM, on 3/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Microsoft BizTalk Server\MSCIS.exe
C:\Program Files\Microsoft BizTalk Server\XLANG Scheduler\WFSVCMGR.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/chsi.html (http://\"http://www.comcast.net/chsi.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/ (http://\"http://toshibadirect.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.comcast.net/chsi.html (http://\"http://www.comcast.net/chsi.html\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab (http://\"http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab\")
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsu[censored]a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Title: WebSiteViewer
Post by: bk0566 on March 13, 2005, 09:57:35 AM

I spoke too soon.  The second time I got on this morning the directory was again populated with all the files.  I ran another HiJack after this in case there was a change and attached the log below.  Thanks for the help.....bk0566

Logfile of HijackThis v1.99.1
Scan saved at 9:53:48 AM, on 3/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Microsoft BizTalk Server\MSCIS.exe
C:\Program Files\Microsoft BizTalk Server\XLANG Scheduler\WFSVCMGR.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\WebSiteViewer\125235.dlr
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/chsi.html (http://\"http://www.comcast.net/chsi.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/ (http://\"http://toshibadirect.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.comcast.net/chsi.html (http://\"http://www.comcast.net/chsi.html\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab (http://\"http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab\")
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsu[censored]a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Title: WebSiteViewer
Post by: guestolo on March 13, 2005, 12:27:01 PM

Quote

The second time I got on this morning the directory was again populated with all the files

Can you let me know what files your talking about

Download and save to desktop
HSFIX.zip (http://\"http://www.atribune.org/downloads/HSFix.zip\")
Unzip the contents of HSFix.zip and an HSFix directory will be created
We'll need this later

Please print this out or save to a Notepad file on the desktop

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Important>>Restart your computer into safe mode

Delete the Websiteviewer folder again

If  you see this folder delete it too
C:\WINDOWS\System32\Cache <--this folder, let me know if you find it

Navigate to the HSFix directory and double-click on HSFix.bat.
* It will produce a log file, located here: C:\hslog.txt. <--we'll need this later

Restart back to Normal mode

Post a fresh hijackthis log and the hslog.txt

Title: WebSiteViewer
Post by: bk0566 on March 13, 2005, 05:48:47 PM

Hi Guestolo,

Sorry I wasn't clear, the files I was referring to reappearing were the files in the websiteviewer folder.  I have followed your latest instructions.

The hslog had only the following in it:
cerbmod.dll


This is the latest hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 5:43:50 PM, on 3/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Microsoft BizTalk Server\MSCIS.exe
C:\Program Files\Microsoft BizTalk Server\XLANG Scheduler\WFSVCMGR.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\WebSiteViewer\125235.dlr
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/chsi.html (http://\"http://www.comcast.net/chsi.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/ (http://\"http://toshibadirect.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.comcast.net/chsi.html (http://\"http://www.comcast.net/chsi.html\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab (http://\"http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab\")
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsu[censored]a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Title: WebSiteViewer
Post by: guestolo on March 13, 2005, 07:08:57 PM

Not sure if you understand

If you find this folder
C:\WINDOWS\System32\Cache <--this folder, exact location I want you to delete the Cache folder

I need you to properly download and run HSFix from the instructions I gave you previously and then post back the log from the location I pointed out to you

Again>>Restart into safe mode
Delete the Websiteviewer folder and then  run HSFix.bat

Restart back into Normal mode
Post this log
C:\hslog.txt <--this log

Along with a fresh Hijackthis log

Title: WebSiteViewer
Post by: bk0566 on March 13, 2005, 08:12:04 PM

Guestsolo,

This is exactly what I did.  I did delete the C;\Windows\System32\cache folder.  It was empty by the way.  I ran the hsfix and the only file that came up in the log file was cerbmod.dll.  I did all of this is safe mode.

bk0566

Title: WebSiteViewer
Post by: guestolo on March 13, 2005, 08:50:16 PM

But I want you too post the log from HSFix.bat

I know, call me vain, I just like too see it for my self

Title: WebSiteViewer
Post by: guestolo on March 13, 2005, 08:53:27 PM

Here's what I suggest, this should help nail it

Download this virus checker from eScan
Mwav.exe (http://\"ftp://ftp.microworldsystems.com/download/tools/mwav.exe\")
There's nothing to install, save it and then double click to run
It will self extract

Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane---  Use "CTRL  C" on your Keyboard to copy all found in the lower pane  and save it too a notepad file

****If prompted that a Virus was found and you need to purchase the product  to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are

You may want to run it in safe mode, so ensure you save the log to a Notepad file
And please post the log back here

Post back a fresh hijackthis log afterwards too

Title: WebSiteViewer
Post by: bk0566 on March 14, 2005, 04:47:18 AM

Guestolo,
Wow, the mwav scan took 3 hours in safe mode.  Attached below is the log produced followed by the HiJack log.  Thank again for the help...bk056

===============================================
File C:\WINDOWS\ibs.exe infected by "not-a-virus:Porn-Downloader.Win32.TibSystems" Virus. Action

Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\bk0566\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv124.jar-7b537c95-2e1ab25b.zip infected by "Trojan-Downloader.Java.OpenStream.c" Virus. Action Taken: No Action Taken.
File C:\misb.exe infected by "not-a-virus:Porn-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.
File C:\Program Files\ArcSoft\Software Suite\Funhouse\CdaLMS.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\ArcSoft\Software Suite\Greeting Card Creator\CdaLMS.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\ArcSoft\Software Suite\PhotoStudio\CdaLMS.exe tagged as
not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\HsFix\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\032C59AB.htm infected by "Exploit.HTML.DialogArg" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\07E200F3.dll infected by "Trojan.Win32.StartPage.mz" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\10AE34BE infected by "not-a-virus:AdWare.BiSpy.s" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\14F73CAF infected by "Trojan-Downloader.Win32.Agent.ae" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\208778AE infected by "Trojan-Downloader.Win32.WinShow.al" Virus. Action Taken: No Action Taken
File C:\Program Files\Norton AntiVirus\Quarantine\23800C1B Infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\23866014 infected by "not-a-virus:AdWare.PowerScan.b" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\23A703F0 infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\23AA2DEC infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\23AE57E9 infected by "not-a-virus:AdWare.ToolBar.ImiBar.b" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\23B101E5 infected by "Trojan-Downloader.Win32.WinShow.al" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\258B5FAB.zip infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\263C2C4F.zip infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\27317942.zip infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2735233E.zip infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\295B4940.class infected by "Trojan.Java.ClassLoader.k" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\32784EBF.class infected by "Trojan.Java.ClassLoader.d" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\36362AEF.htm infected by "Exploit.HTML.DialogArg" Virus. Action Taken: No Action Taken
File C:\Program Files\Norton AntiVirus\Quarantine\36A96B79.dll infected by "Trojan-Downloader.Win32.Small.ajp" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\38FF6EE8 infected by "Trojan-Downloader.Win32.Small.qo" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\39EA3DE5 infected by "Trojan-Downloader.Win32.Ani.c" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\3A3F0188 infected by "Exploit.VBS.Phel.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\3ACB0EED infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\47865039 infected by "not-a-virus:Porn-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\4BBF0645 infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\4DDB6ECF infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\549B59BD.php infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\549B59BD.zip infected by "Trojan.Java.ClassLoader.Dummy.e" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\549F03BA.class infected by "Trojan.Java.ClassLoader.h" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\567612BD infected by "Trojan-Downloader.Win32.IstBar.fy" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\58A55614 infected by "not-a-virus:PornWare.Dialer.Tibs" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\58A80011 infected by "not-a-virus:Porn-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\58AB2A0D infected by "not-a-virus:AdWare.SaveNow.z" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\5ABF1AAE infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\664F56AD infected by "Trojan-Downloader.Win32.Agent.ab" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\7BF779B3.class infected by "Trojan.Java.ClassLoader.i" Virus. Action Taken: No Action Taken.
File C:\Program Files\WebSiteViewer\125235.dlr infected by "not-a-virus:PornWare.Dialer.Tibs" Virus. Action Taken: No Action Taken.
File C:\Program Files\WebSiteViewer\125235.exe infected by "not-a-virus:Porn-Downloader.Win32.TibSystems" Virus.
Action Taken: No Action Taken.
File C:\System Volume Information\_restore{7483E547-531E-4595-8D9C-0B459D280732}\RP29\A0011766.exe infected by "not-a-virus:AdWare.PowerScan.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{7483E547-531E-4595-8D9C-0B459D280732}\RP29\A0011767.exe infected by "not-a-virus:AdWare.WebRebates.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{7483E547-531E-4595-8D9C-0B459D280732}\RP29\A0011769.exe infected by "not-a-virus:AdWare.WebRebates.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{7483E547-531E-4595-8D9C-0B459D280732}\RP30\A0011801.dll infected by "not-a-virus:AdWare.ToolBar.YourSiteBar.a" Virus. Action Taken: No Action Taken.
File C:\System Volume
Information\_restore{7483E547-531E-4595-8D9C-0B459D280732}\RP30\A0011814.dll infected by "not-a-virus:AdWare.ToolBar.SideFind" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{7483E547-531E-4595-8D9C-0B459D280732}\RP30\A0011817.dll infected by "not-a-virus:AdWare.ToolBar.SideFind" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{7483E547-531E-4595-8D9C-0B459D280732}\RP40\A0048032.dll infected by "not-a-virus:AdWare.BiSpy.s" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{7483E547-531E-4595-8D9C-0B459D280732}\RP41\A0048062.exe infected by "not-a-virus:Porn-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{7483E547-531E-4595-8D9C-0B459D280732}\RP41\A0048162.exe
infected by "not-a-virus:Porn-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{7483E547-531E-4595-8D9C-0B459D280732}\RP42\A0049180.exe infected by "not-a-virus:Porn-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{7483E547-531E-4595-8D9C-0B459D280732}\RP42\A0049188.dll infected by "Trojan-Downloader.Win32.Small.ajp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{7483E547-531E-4595-8D9C-0B459D280732}\RP42\A0050174.exe infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{7483E547-531E-4595-8D9C-0B459D280732}\RP42\A0050176.exe infected by "not-a-virus:Porn-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{7483E547-531E-4595-8D9C-0B459D280732}\RP42\A0051188.exe
infected by "not-a-virus:Porn-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{7483E547-531E-4595-8D9C-0B459D280732}\RP42\A0051244.exe infected by "not-a-virus:Porn-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{7483E547-531E-4595-8D9C-0B459D280732}\RP42\A0052416.exe infected by "not-a-virus:Porn-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{7483E547-531E-4595-8D9C-0B459D280732}\RP42\A0055456.exe infected by "not-a-virus:Porn-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{7483E547-531E-4595-8D9C-0B459D280732}\RP42\A0055469.exe infected by "not-a-virus:Porn-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{7483E547-531E-4595-8D9C-0B459D280732}\RP42\A0055483.exe infected by "not-a-virus:Porn-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{7483E547-531E-4595-8D9C-0B459D280732}\RP42\A0056491.exe
infected by "not-a-virus:Porn-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{7483E547-531E-4595-8D9C-0B459D280732}\RP42\A0056519.exe infected by "not-a-virus:Porn-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.



=================================================
Logfile of HijackThis v1.99.1
Scan saved at 4:44:58 AM, on 3/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Microsoft BizTalk Server\MSCIS.exe
C:\Program Files\Microsoft BizTalk Server\XLANG Scheduler\WFSVCMGR.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\WebSiteViewer\125235.dlr
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/chsi.html (http://\"http://www.comcast.net/chsi.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/ (http://\"http://toshibadirect.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.comcast.net/chsi.html (http://\"http://www.comcast.net/chsi.html\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab (http://\"http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab\")
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsu[censored]a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Title: WebSiteViewer
Post by: guestolo on March 14, 2005, 08:12:21 PM

Well, that's showing some entries,
Can you first enter your Control Panel and Double click the Java Plugin Icon
Click on the Cache tab and clear the cache

Next: Would you please Disable System Restore
Leave it disabled until Asked to reenable it
Here's instructions how to Disable this feature
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")

Restart into Safe mode

Find and delete these files or folders
C:\misb.exe <--this file
C:\WINDOWS\ibs.exe <--file, if found

C:\Program Files\WebSiteViewer <--this folder

Look for any of these files and delete them
you may want to do a search for the bolded files too
C:\Documents and Settings\YOUR USER\desktop\sexcam.lnk <--file
C:\Documents and Settings\YOUR USER\start menu\sexcam.lnk <--file

Also check other user accounts including All Users account

For cleanup purposes you can enter Norton's Quarantine area and delete the files found in there too...

Run Windows CleanUp! again

Double click on Fix.reg and allow to merge to the registry

Run HSFix.bat again

Restart back to Normal mode

Re-enable System Restore and then Post back a fresh Hijackthis log

Hopefully that gets it all

Title: WebSiteViewer
Post by: bk0566 on March 14, 2005, 09:03:36 PM

Guestolo,

I think you got it!!!!!!!!!!!!!  I am attaching the HiJack log after restarting in normal mode.  Thanks, bk0566

Logfile of HijackThis v1.99.1
Scan saved at 8:56:06 PM, on 3/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Microsoft BizTalk Server\MSCIS.exe
C:\Program Files\Microsoft BizTalk Server\XLANG Scheduler\WFSVCMGR.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Hijack This\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/chsi.html (http://\"http://www.comcast.net/chsi.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/ (http://\"http://toshibadirect.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.comcast.net/chsi.html (http://\"http://www.comcast.net/chsi.html\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab (http://\"http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab\")
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsu[censored]a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Title: WebSiteViewer
Post by: guestolo on March 14, 2005, 09:08:31 PM

That may have taken care of it, thanks for running MWav

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Title: WebSiteViewer
Post by: CROW on April 05, 2005, 12:34:46 PM

I didn't really haft to do any hjack to remove the websiteviewer virus. Heres the steps I took
I scanned my pc for adware/viruses delated them.
I uploaded the 128292.exe to my server and edited its contents. There I found the real name of the prog: tibsloader.EXE
I done a full system search on the SEXSEX.EXE and deleated it. I deleated the process of the SEXSEX.EXE when I hit ALT-CTRL-DELETE
I went through the redgedit and deleated the values of the websiteviewer and tibsloader.EXE I deleated the websiteviewer folder as well here is what the program looks like behind the beautiful but deadly face:

MZ       ÿÿ  ¸       @                                   à   º ´   Í!¸
LÍ!This program cannot be run in DOS mode.

$       +KÒo*bo*bo*bì6li*b95qf*bo*b`*bo*c*b
5qd*bi   if*b¨,dn*bRicho*b                PE  L
 ¬«¶>        à 

  @      p  0½   €   À    @                      Ð     ÁÚ                                 Ì  ¨
  À              T  ¸                                                                                          UPX0     p                        €  àUPX1     @   €   @                 @  à.rsrc       À      D              @  À                                                                                                                                                                                                                                                                                                                                                                                                           1.20 UPX!      Äu‹k92¯u'™  0=   ‚  & ÒÿÿÿÿSŠ\$V‹ñöÃt5‹FüW~ü@H4ŽxUhÿ·ÿÿ
ÿvôƒîÿ0q@ Muñ](
tWè ?°YƒŒÍþ‹Ç_ëÿ6VÆßþÿÿ^[ U‹ìQ‹ESV-
 W„ Hugö¿ýo·ÈIteé.guVÁèf="ÿ»ßýuM‹5€J3ÛSShG2ÿuÿÖ‹ø;û~ÛÛûSWhPë3À£ð‡*~Ͷµÿ;Ã~j
[SŠ„P{÷mˆFÀ^
òj Œ·ÿìŸï‹=cÿ×Ðþÿÿ8™+¿sÿö‹ðÑ
׃èdŽ0fSÑø+΍m7cÿPd+ÐRQPVB¸hS°÷Û jÿ˜è™}l¶öYÃhX€ÅCP‰¶Í}+´SPhQüÕÛ~Øm=оj:JP!YÅYÍÝ~tBWˆ—ÿj
ì»Û± ƒÄótΈl¶ÅfWGX
†}{Gë­ÖuühN^¸X_žÉŸƒì¿á…†S
V‰ªWj   ‹8ÅÞ™îEðW+
ˆ]øP’ÎÝ9³×¿'Yÿ0ÂÖv»]p4   9t¯ëB˜Çþî]öƒÇ   jfS‰â‰§×š9ف |ìüö¶º¡8‹M‰
ëG÷Ý/È[Mn_‹Ã¥Ã›kL6~‹‹ …À\PpÝhp<^ÃbÜtÀhÉ3¾r¡îq ˆ:ÔzáÍöáìªVWQð‘¾~o¸…ìóVP¡è•p³þ¬ð]3ÿ9{t
©9Cuy?ÝìÜ+èý3¼Æuø…gQ‚Z?{Y¸ €p›ýÿÌS;ÇtAƒøWt<<·u7»\ëm
BClFvÇwÿ6ƒÀ$ü>Q|‹ÜVNf‰;p²Y7yë6óÄ   7BӍ­%W¼S¼°†Ï…  /ôŽÿP
   `YYVhìŸê
ß8­‹T;÷th½÷¬[ñPƒÆëé9}hØ-+4Pljüº’û»ë~+‹
ýþ¥ÜÈf‹Tëþ¡‹L$f‹fÓ°
AAfƒ:nÏnÿ'ufÇ
' BBuä! ûÂój(ƒfÅÇF
ÁU>…ãë؉Vóƒeô ØÊÖÛ÷‹ùjq¥€Y…ö^ªïãÜû‹ôÓ°DgfëNrüøø¾ð­=øS‹‰F(É[tZsë›V&:Q.¬ Axé1ƒ
‹G‚9G}oßÀ‰Áà–7~,··-º›>‹O‰4ˆÿ$ëÝÒíãÇEô‹ëìüyQ1æZ`L$¸¶P˜3"!´ñw|Ûo%9^~%ß-+Wô<˜ÿ:Ö¶w.ÕdpCØzøÖ&"|å_]^Þ[¸£°{
S8]göë.h'ü|柭sk û´WV?–/uµ
¸py·Ek´ãé'Ye쐮]^(9ì‰M-]ôd˜­½äjÞ   4-·õɉ}üu(J0:Ú]
2Gðæ2ºÎ\±ö¤ E/eÜeígë—W=`ð;ó:M²µîu‹i™[\¥Ã#»ÝëÝQëDÖBeÿ‘8t"F
¸º»‹üP¶WëkÚoÃpˆ7*Üô–7ÁhüÆBôeèˆÚ„p
S~q~l;¸ ŸVEüW¶áÛ®'   Ôí…ÿ}#ŽÏùõvãüSÇ€8L„µ ßüï/´²{‹ÎP'›ƒ±d”ntiíïÛÈ-+|s€½{uLÖÜ0·ðt j2œ(‚°æþý+#|0ëÊF¯<#,
SÇÇÀ…ÂÉÄ¿   ˆjF˜½ì°/‰1žü&}Ç[O¾³Ð@Ðré6à.8tû®.‘Gþ s
räc°û­
,Ëý”'ëô)Š¼¼¼ý€ù   |
~
t u®
?x»Aöïà`QIŸ>Š„WضÕÁh
<s=)qìÛ]×UtGÈ   º°½›Ûp<‹$PPø…
ÍB   ¿0SÁ æ¸ýf«;Ñs9s
f‹l}·ÿ@ˆC;rö+ë´; ñ¸ÝîÞ#?€#ÙFë2<¯<]g»®'<­#< tW¬;s;f¶·
œGˆC>¨uÑ9ûn9ž÷~‹
Þ-aÂ…ÝÃr‡N &,|éK­QîÂFK0}ÑàPʍøƒ7&Bu
¾Â
˜†•>€?
P“Ð6÷
5[í^%%º¦_+/•Pè-à…OèÆÓ)hëÙúMpã­ðW<%yÇÓëï$tJñK\(aÖ+Á6@PîAn\ÔQ‹N

x°†Ú"R/9>t©V[¸´5XuTÇKÞaíð€S>|…BÆ‹Kø>ƒÛ¦ü¶
KFÎ1i¤KûÚÐZí9K¹ú   ]zè*…¿àæFP|$tmû®;Šˆ¿<B±ggl
W
7\Á(Õül÷
   8t³üVÃÂ’{FëðZøðÔc{èï›k¬ùnÜjdÝø9‰Þ~[{÷
lõ°‹…Û|Àë5Sz]ØÚ|P¶& ,´³öS   {‹F‹cOÒæPVF;Z|8²µ¥4‰ìf@r„6ÌìN
QpœÁüJ˜Õ‘[–ðìF±Qn¨ršG}ãz·Dmÿ5XrnÛŸmÖPØ÷ÛFC¶6ÌoÃUWFÕ¢Y…ö/ƒ€ß.|ÑݦËeΊä„ÉtµÒKÙ\tj£_­©¶DCˆ¾v6WÝÖ2Y32|6ÛÆ£èã<ªL¯ìöO4t?tؽ©;;Ùª‰SЗ99Vî(Rp\™-Ù­ Ft   ÞT¬Ð•’€,I!#ÖoÉæXC&L½ÀÎB³þÍä-íá”p*^=4Ν~¸,tî%ÛT~MgAWlF09ˆ™ÏÏIJ³f{0k8'|„„/añ&£lPn
#%Ã{»ú ð
Œ}c¾gÐÑØ8‡ÙWÐ̽ö†Uh (6bn;@›è“¢QSÝÏŒ™$… YaÕÀ™˜<,üVü)§„[s«BCÀÄì Š
1ÀžoÖkýðV‰èâÙ8¾9Þ
o‰A–r
‰‰hœûfu-ô¯A"](—5ì!§ÙÜÆ+ÙÀ¿n
If[âü«[
aH=˜“ßü#;€·°lR1Ñì;o ÖQÛ¶°½Ÿ,ùŽ'ÿžt<Œ¤3Âe„£ƒà.ÉâLIn}K–h9uu:l®Vï\Þ!ÌÃk•à·K©¤CrÈêƒ |tºA·¹öôû˜ðEëW¯Ù6˜…
Ûj3a„Cé|:[Þ³;|+›Z‚h ™v[™¬ë:–~
Œ-s6l_’]Øþë6]8‰…±Û^™Órr;’NÒ™så–‹sÏ»Ôx‹7
Qn&
],àÀ·r|Žw
hl³ÙhFÛзbÿ3®tÌh þr¹¥Ç†vîá)ð=PVó¶Á€ø{Ç
 In֍‘ÈׂHVÜFC„Pº¥E¾>Ù±Í*?8ëÅr¼æº
š,p
„ÏÅ
[£ê3àÁ±ßØÊ‹Ã-ȏ‚™ çA[0taßÕ'P;ܨD› <¹s
bû›ÝEöP¦õYºY`´‹ÐDiîè$æ¹"†<PÀ5pSöƒèpÄÞÆ·etkHH2%V/H‚w[5
#   Lp6 j ,ÖÅCÆÙS4ÝÎ4j1PåNØ×™ÈT¨
YáŽh¶'ØÑû^«ßkk%ü¹Tì6b/\£9]ß­ß+8.4lŒ~4Þ<)v£­Ñ`4„=Y£ÿ¿ý|Y‹Ïoƒá
Áá¹ÑY+ÊÒàêÔÑíG;4|Ì?SÌÅX03ÌPÂ.Zë'šQ6®ÅC2D0*ƒðc»MìQ|¸cr©2àߨö´;Öý….
u@¡@r­

£Ý›o·¡D£˜   HfÇ”fìÖ|œ ˆ¤<B©©ˆ¨ˆæNm—Lf®­‹ß‚XëéŠDì<0| <9,ÿ÷~<@F~<`~<fƒèWÃ79ÜÝ0Ã2ÒQÄñ4Â QM˜­}
   Ő‡ñÀ÷Ø«Å2uXSÜS ¸vÊ;é>u7Éfé-5#zSøï÷ÉöÌ,)
8lº¥jÄ
u[v¥
9 /ã6ku/ÒA|'úf»%' ðWý£wø7OFPv` ³€D{z¶ˆ‘­îoƆŒ
D@Þ‡fŸ=L
SÛK³Fô&¾hˆ-ˆc†ž¥é8uÌ6Ûà×9^ÜÒKHÊ‘m+á„°q6ç;7ÃQìŠ $TBé5e¡†2ˆ ×¾´ðëÌTVhk&!a;ÌP<YþS_ûÑ×ÏÔÑWyzѨ«-Txl[¹r
‹@:í]´as8tBÅsôéï3ôÙH°¹±Ú
ëøá@ìgd@Ž\e~|è\ÑÑzp¶»
|n¶_ñËh€°),¾‚l8.™þcŠ
›Ì„ß·ïø¥¤Y}݈MÜä«f«
åƒmÛ`íìþ
ÿ'6»…ª\8Eh hx^Ư^´×Á0j9Eº»Øܸhø"€È3ȇäh€ðˆéÝ&Oìhˆ
þhœô·{ú§”ÀÆô‡Ÿø£üÎt¶Ìð±ôèÞZÀ€áuY
_/þÏöº
ä_P[¹ØµÌ™3)Äx‡=æ{ohÔ/u¹®Ö ŽãPÌ
™äÛëpо'ïäëÞÌìëÁYȾçäBþÄe°ïI€%ç ÕéÞ ÄÃ;ÉjdSØuç>Û
ùšj¿7ÌH   ·ëàõcº‡*6€=XtbÏ…„Z¤ÅéíÌÃQ3ˆP$h´ï2ÒAº¨¬ë¹¯G9d5A­·~Øí¹[”'µÀV×Ìtît
@´ëçf¶—Ë:ŠXædƒ± Σäšk2bôt^ ;ÞÀÅñÇFpH8‰5ítãAÓóǶgµÜd \d³!„+¡jeÌ&Øl®`çì~t¿”­rëÂFW‘Hÿþî=Ò‰½Ä÷Ùâ¹p+÷ül½XÈÄÍvu   LsVKÿïþoÚvNƒNtÿÀ3É©V€uÑntÑàAƒù ÐjÐÝ|î
‹FtÖg¡#WvÍhFx]ÿ²‹Nx‰¹~tvëë‰zàŠ·^
^t_ô½Â ­0t=ªÄ«)QWãk;‚­3½H
0¶òÛVàFPh×­AóÝ4PL‹g»ßæþh;ûÆFl
]|fž€–tÿªÔ9<W ƒ>duƒÇ—;ÄÛëí$ëè|‚¿Úm0×’-‘w×DÇÖ,:!@ËË÷‡~wƒ?CÆ߃ÆÚ՝Ñ^_*Qc8|Í¥§&<ÜWQhXtðK4ÅvÇÐcñЁ"÷†6°kÁ³
ðøð2‹®ìKÅQøÉ”([±™Kþvô¡y&+äßSáM‘
a²UW%–2l”x'™GÂÛ
ÃsS‰_ÞáP.<ف€pnku‡!¾VHÔ/tz‹oÓ;ëýuëGßþ…9›t%8^lt    x‹-|1~ÃÁkÿ4¸ÿÕêUۏò)Õ_Ï]]¸½¬Ûa\ëÛ¬NÁs>¡bƒ
 xk«ÐmB
Mlj놓M›â çUL&á•8=ÂVgC;5WÛQî½eR(ƒ;ë~f.]u¢a|j-€¤
x§ ¢mf4“Ç› Êxë]V;ÞWA„‹‰[.{Yxßr0rwhhºìq7Ú_ÊÏÄëa93tXů}ìæZ3À¥¥<±·§Zø
UìxRÏPÿQZ°•<–í¹À#¢Ã#alÙ¨2Ç$nã3H‚èSšÃpP8GkŽ°°¡÷ûQ9tT;Ã6<BSS?Mak¶)ÐR-uÏd{®©P{#î«tñ“•@÷*9xÐó
$!<(P†—´77²4]ºñRP»>2   /LT ‚ˆpÈÝâP]hnå!¶„ŠtCq¶»Û†QRRQ›V#8‰ÚOc   0 G%„^L0<æ⃼À
Õ=W ´0
1ð«nÊsÿp`‹¬xMK<¿$[ƒY’E*
Œò«$òÿðþjVˆ~ µ`²ìòSSm£DäBJ<q   ŠÙ÷Š'¤:Ë1m±mV.uœðëa'üÚuì-h0J”Ž
ϔ
|8¡ÑÊ   ª˜f
…8,má!ŠÒêø¶âi   IÙVdœ†eDPDýîÞûßl!3fƒ¤E
Ì{8ð^æ@’ç ²þøüÆ^­z«UÒ5‹ÊÅ-Ǎ[ 'VF1fl†æîÛÁþ\t/t:8Ë
—¶Á9   Û^ ·‰^(‘j$¿oTd•½™(
TÀÔ+”x[
•Ãã\ö6xð #IàÉ Ò§í•†ãt   ëLz«."`{9J7õ/A3Ò;ʸUt79 KÿR;£‰]9u9P“J¸íéxÀœ   ‹?——æ
QO¶P ô¥ËQ‚ß
hˆž:uóSë
¹WÆ£W8˜T›ÿOø·99Pj#¨ë”(_϶_mF¼÷ÙÙÒÉ…¸¹à#ÈÇ¡^ÁB`®–€ö8=³a&îDPxd
>pž($
9ÀýžAho”ߘðꔹV;ØW>²§#‹}!9>áàu߁á¨EËYpën‹7UؾN;ÈtIcI”Â…¶üÿÂÒ‰au‹;u5‹P;W-µØþËu%‹@;G÷à‚°Þ.ü+J­Ð±ÑX3[=غ´Q   8ÉÛN*÷u«¸ÿ‹-+µ›aVîS‰3²1‘{!;6»¿0âq8£_;¦‰>/=c4“8-1عÃëÁ'A&¼¬ÊxrŽ¢8£=ãŽMî$oV¹H‚$Aªà=a«Fÿp·-d0 )y
Æ‡Àcs[ƒVÇ%^3.X»s~tÿ÷¨%sSh™»Ü™%C<l(…³ÏpéH6ôPcF
<ý³dhJDØ;ߌ¡_€8UüR‰}#zâ7’´|aWǃ±®ì   3ø\   …L(‚ÉIÔeØ…Fø.šéî%ygQ&**Üä]C;Çt|éô€ü?KÅ–Ëò$h6ªð0‚@ž%¢e·r¼ä3W°‡]CËhŒÂ¤Ð*G[XÂjúmÇp
¦®™êë4çK§ê‡Oèè_ðSB‹€?‰YC¿‡‰N³0“eÚI\­2V‹à­hËvfâjÑ
üjèÚÙ烛pX¹ýñDÉ‚s†ôA/9Ô%àK´…·x,‹CjƒÆ~ñæ¾Ñ b·vø‰8Hým-ßGÝÑ|
@‰ƒ[££°…H|±É£lƒ»   ~zc¥RS‘µp­aŸ_
zíÿQ‹ã5°Ê5·1R0,³
 lt56Hð{W‰D,‹   ‰L“Œ€á½ìØPCìF¥F½ª„|†GadôL%±©`jÆXæøF–v“j¹Ô'C¬)RM I§
á"u¥wD   z¢…Z<þ§@ô‡2?
Ž›¬+ÈS`sÐJÜÔnS0ª
͸kß¿ÁßþKvÁã?GË29Ó]¢ÀMô¿³ÉùÓ-!q‚Nƒëfiá¶q}Ôë OåUuvÄ®[hméWµkkæ‹GØ·Û(6–ˆ§f¸|ÿ5z;££ —•ŒuÄø WsÇàL
TôÓž¼I\ÒáuT~$ÿÐq$qΰ $i”QK:¸°Ñ,$ ìv|¼ tÿèÈÊ)ç`Pã1ÿÜ™&^ª   L†q
`®À3\–>N~"8`H0&B2XzáÁé@PY
`ær[Šp&   Z{Lfªÿ@É@æŽLKü¯lE090u29p§-:È!$u;Îõõ
S•Œë&œ
54ˆ{šœq
±±%2ÏPÌ]f³7ë¡]ÒŸ,²Ã
³É|‡ øÀ¤Ú }›q»[æ\MÎ;Ðtõ_W¼V[;r±ðm
j;ñÀ׳œ½ÏF“
j/6 +E@   m¿ä¥˜•ÀˆFH IÐÛnˆ¸rj(P-*/:¡Íü]ûÐKt¡üÇF;¬Y¢5¸\裤F0¾0þh¤ÇVˆËÖŠ4ÆÍf$¨hˆÚ~³V3NM;1$C/¢àO*vàÖ£‚=<`€Ô
÷Ù¸¼;­VêW‰âææ6^ð´ô¬ÆEÿ”ŠT[ØOû'€ïÖ§ÄS¿5¤ºìľ6§Oè
×P7Y
„¡T†q
D7Z¨ã„eŽŠEÛž-㤡qDJ ð8Ê`”e¥%#n0[1PV¾'ôjl“€~H SI¼Ç ÃYY<c:Ç‹
G.º+5+ˆóõ3¿­SÌ,ô+û5806¿t4ƒ½…ó'Û+t"ÿµxÛFžøÈŒ~ƒ¥,ÁÁQOë V&KæÆžÄÇ^ž0qÅÃ,ç}·'«è-   ƒ &`Ò8:pÀÀ˜äºp¥“(]
‘êjAQÓ>0éñ¸st&‰AIÀäáâ4J
˜…·²ƒø)©A;G­mkÖ6Ζ.–ÂPUM¨¡æÆŠÆ-ª8ìÊ"ÏŠjWcûÇ2<cE¦Fžo=åV¤ðà×ø˜°qAVô‚€t”i“ðÐÞµ_uœZ®OÅ2ˆL·]àvÜX€/Z#Vñej_S,ùÃUo*¨Mƒ!Ÿ 9à;¬sS/
ï$}Ž(&:S€ÏÅ
b9Bx>™s-   
m;F¡_ìÀ‡ºÂ¶Â®Ó²j,‹7@æÚáÜâ‡CBÏþÜ¹Ç >D‡
?]ÖbÖÌð@Tµ„‰FéÀ |æ0×nÊ(
}d6bgïãø}[—g×µ›ãƒÃ   @ÿQ2Qàe¥m|ÄSh[­œÔõ±±k‹L‡†
Pa)8¸Þ_J
×;va`@;l„GCp}9—Èë‚0q=מּÍíDh–ÑÕì1­»Uè ýÊ
^3ŒÂBT˪ÔK·˜YÊ;Á™‰¼Ñ΍µÔ\v`Ùt*L2ë‚Ñ€ äŒS܁ÃñZÏå$A#…_hÚõÅ ý9qQ š%Bñ
…-`3é
u漎t¸hu"’q ¨òWÀu|î ø­`!í.I
Î@\èûŽg¢,&P|Ž±1ƒXµÑçÆfÂèdY–´rJN3Ç^-ðÄ\¾éHÀ5GpÈñ¯à‰7´Ä)bÜÌ9m2ü¶8ØtÇ„¥4YA²
‡4øÝ‚j8WP8f;Æèk|Q ÏJ™3t1çʵ‹?
Jüہ‹3á; ONý€{Ph¬0*P=Èbf€ZëŠ._xü` Ã¤½ãÁË‘k¡+[ùK„ø‚IÆdlwf«Âx
l   ¡€/XŽ=—ô䍶•YtäÃìz¹M¤ûPQ+-±ŽE¯éà~4æuKW³—iì~C*þŒ|U$ÂœÍ@
Á‘6ôñ6³êd8ă¿ÝºÚ0$J;r|Æäj
™YBã¥Ú÷ù,ÚÀÁà)&­Ü"Ã
¦ª+šY8wpZv×âº+{Hwjÿ&mhò9ê
Dqûjkv5"Ÿ‚̝µ£é¨ÙØ Vž¢ž97a–ùtC
Kx…¨¯mrSCµè¶
€%ՍàNV]~_`k±vfAèÉÿ;Â}»oü‰Uès&ŠÙâÿã3o¿Ýj|Áé8“3Ê@îèrÝÖœmoà÷ÑE TËpÒû¾³^•¼ÖâRAx'Æ&9<ÿ>&4˜G,V-‡NÐ&ëY>\£IIH³ÑV.tÿv^ÈM†5èh”ëñ½:àp"&ŸíòXˆë6Q#v ³¹Í!xë·
%»17lÙ›4$†®ÅF[÷Áàˆë,jdžôgb„Å:ö-¥’xÇÙ8}H,ð
ÖÇ$úXÓxó§2Ä’ÍAÍÁ¤XhÅ~/Á]Ö–‹KØ=,.\g±0S™{+v3À$; aôW …    ÏvF6ŠA]häµÖ‚bNˆ®Å¿ÐZöÁü
Ñéñ­Aolí¸íÄ   JÕ‹‰° 
±q==|Ú°ƒÅè$À‹ùu@mÜ.¾fèbPøýØÎÖHÒ­¹è!¼=²†tEtYöu|ˆ)6­•WJNRˆÊ€³Yø9ÓÉdKýˁ»þ
0¢~
EWhØÁËœ›-7:8ƶgm"ÐÐE‡C(;W÷ë µÈ8ëXŒ=WrÜhÀÜ:;¸6vÈ…
°’‰a†Qþ|4©8ЍâµÌW"ƒåL΁k"99|Šå‚8%6ñkþ(t2…ö›h<’
Vƒlœ(%WšÉœ8U„é?G;stçÞwųèq—ÿwhðº¸èÆ%ڃƆî¸4õzðÝbƒ‹×ÿëïeÁ;Ès%¿lŠ‹Þ#×#ßt{p;òÁîòAræîÂ>c~÷Ö;w „hw ¸%,`lè!Ô{`œb£«8_LºN
é±Wñ¬îNl7|ÝÒ9SKhä[Q
¼£|*N-*ž<÷ÛÛ·ÆÇv@þÃb„Ût'³•F®F87P±ÌŒԁ±Ç_!=“ËmâמûG‘ µ˜ïñÛth(„­MìtEg:±‰×)+x»$„G>f{°Eà±ë €®×%ÿxPS¯Áø{÷$h „¿¿>alÏØùƒ<}zWî—ë·ˆRu&+¹×anhEšø'Þf¦âa^Ø%ðhÝF|I9YÜ‹äd`2ŒÊ…€¸6øôaƒvþ8·›„£øÿ+zIÅ̪ryŒ–‚ î¬9Q7§[TÛ(ÿ^

ùÖ|ƒàØ"‰85ëd‹Á½Í
=Ì%9³0d6   Z]~hÂhL)˜Ðà7dƒbðô j‘
[    o_c!è€ßêAàì>uþ;ÇY¢
Dn
8‰xR©¦†lã;ljŠ1aòpÕa(^W;8„¶lYwWºW‚sIƒ!Ú}ÈCˆ\„öø 3èMòQÄ°peÄ¡zÀ„
;{‚sÁ ÌþÇY1R³¦^
Ö!5
…‘¹QÝ‘ÊÐÃm¥–0÷fŠ¬‡!p2½
eGPÙàµÀ%ï<Ï×
êèæâE%µ¹ÌqØý4„ûhæEüÝ<h0Ýž+EüÅ>Ö’mïø,øGñ]Ö`X ^SM³
²È¨ÿ¤^2b< “Œ \-äüÈ?¹˜ÔÛåûühÌ’)HO!ù_72wà!Ïœ·F÷Þ¢‰ŠµöDÙcÖ ÿøSø#âBqWݨûþÀ„a6¼$´þÓ=)8‰Í¸„´ìd)´$¤< ÍoÆNP¤ú˜ —ý0°ShŒG:ì®±,G®Î´hp?l„‹—!æ}ðj…Ùƒð[ÿ7$EåYkÚ›4·€d¬üdEÙÙd¯Pe¶PP‹0á숧H4`¸hw°Ku£vNqjÇYgûðVÑB
¥³p×,+¦Q*ÚÛ;~
+O:P&¨Ì²‰@-À£êôó´Åâ•¡j
ÖS
Ýÿ¿Pj™^÷þ‹UôÑùѱðÌÉBÁÜKJ@Љ0ù@lO>äD‹¼u#Po ÖÓŠW<n­µâ"u
tÙÞŠÏñ€>ë< åök¤
 ö#„À¶µ´uáÔ¼ÅPjè]-TrÕ¸.
xUí%8!f
XPu &µ'¶UèuŸ¢¡x©V¥
\©’¹»»QÄjŒ
|
‹tkŽúï#Ñ‹4úê,ºZìPR)>§0Zˆæ2}Ã7ª×ʾßS°ÁÞ?˜YÃ9
ifQgZàmæÀ/TOSÂø¬…* HÁN¶¡#ÁNtC½3÷°
?ë62ÄH¨<lÒn
?{Ö¬éžñT¤äϯÉЈ!ퟱܠ  iH-›Æ9ˆ0¤ü¶ÑO†@
šVExèˆ1Vhó
ûtFuc*02m4È6½$æzä²]Ð0 ÔØPuÀ­   ®Üà‰ÎèÓ&"K®`ÐP2F+r.JÒ£4Ô‹–dتJ
»yZ”˜Î/ce;[Û9ð ôÚèÂ@BY¸œ…­Gt…öÜm.žЄP…@LñŽ9Ü$à äðo ¾ƒ­ZìËt*]ÐUCý@‹C$ÃÄ
Ô.òuåù>DÅÔ™Žæh„uuy¨0½4"ôœjdDoz
œvrÑø5`…!Ò
ù<Dcò´Zè:§ø“
óKè +²¡ø‡M”;£N
Þ€¢\Äs%&¸DØr8ê];:
¤AuOŒÔZnBæh¬…÷³ŽOQçu_ÐW£°Y
Wñàtjy!ª@ᙑ°H-V 1ÓÝÌ(â
þÒ¥º]ŠµAt9<Ru“»z¢I³Hjèh¤hRåÜh ­¬îLÍFµÁ ëw«¬øx<?»ƒÏÈÑÅ·3·ŸPÚÄ£Øê
=|Lák[‹óÅ‚’Ȫâ9;ÛøhS@*îÈñ?¸¾h„Q,"Vá¶w*Pý^xÀ|S0|9Ê
–Ä
Xt°[†Y=½l×Çêü¢Šó« ‰1ˆ*º±H !¡ó#Úªp_Y(Ú›ü1x¿Ù‚u3luh8†üiN.ëS,CÿµpözÍ‹WBÓl‡}
u=+44pZ   ógO vh¤û!5$hü…XêÖƒe'ì…&´G˜x»h¼„.‹˜µ.¹Ä»@Q…tÜ <þ™ì[²´…PrŒâ½–,£
Ò²³de»(Tqj²Sà:¤AS˜È3l¿]œPÇdI(Ïvô$¾ð0öm­è^u!ãœ~IÆÊ5yPGëcÈ\˜Œ…p€4ÊÁ=ú¤ÈåÌ\t¶®ÝVEôƒÚA¸Fº{Pz€Ãö÷uT çcq©kP„Rp   .4¬è¶H9|·ˆMà­¡ÜY_‡¸D†Á¯2Qû›EaŠ\p†}cËV0QàG·™¨ReLd<l
k5Ÿ8;¼ ÜŒè&ž
D^   [|<sÆ`c
üˆÉó– M(Ð×s¯ùr@ŠTÌ>|(!X)yxžçø]:˜×Óé²ckƒ†g€†Û"!ÀæØÊNDŒ:EB6¶é˜Ô¾Pl†VŽX²Ù™è«Úl»`ü·_uÌðýC~³%Êðý[£·¶2܃   Þ!Ø"’3ÃfZ1½1©;jWÐF6Þ ö7܃Øz-vWBG’'ø0L¨tëàdDƒ%yvKÐõ
‹èj(ôq÷ÖA°ä@G4ôTÞ»š+•©ÐKÀÃwÜYΨ‰zßsS   àhýÉB;]^ž‚÷Û[!v"‹Q‹   Š”&ýÁ–“‘3òÐÑðrãJÙEñr8p£˜÷ÐjÑ<‡Ù¡ø¥hÖæŠZ&›öWðöÓ0ŠÕ.ŒŒ¤ºÁ)rqWÙD9}8OÁØt©,{ n)¤ˆQP¡Òñ|6'ý2#VÀö3l¯•†R
ð6¤ÀœÆ’l¼$aBuü¥ä0>ýéü@`   i€$ÃÅÊ1$Ú³
[F©dVN“[5s(h'I%‹YÊHô~$yâû.Ѝj£-ŒŠtLè[ý¤#àÍ+€¥ü2´¹!¼ýÓ@î¨¾ûŽ([³lkÇá¹ÀUƒ:Ü`öa&   Èq…v ­Àµ8
‡•Ð1&YGb’·(QøýBñ:õ3âØþW¼†¸Ò@>{¿ÃC#Â=¥XÃÇ]·DÖ†¹M\ëXŒ„éf¥rYOÀ5Ì
ðô™ß8¡¶5ÓÄB5Ä–
HJÊР  ¶!±øÕè^èØÊ&ºÂÑ ¿{%ÐCGtL?Ø&/±!ZCõB¯us8ýhOP»ÈIØ®rˆaºÔaÄ49gM/gK5àF
·vP(PE‰ R†[·¿uZÔ
3ÒY÷ñ~`Î
ó]D1{Oô§Íäë­[±ØÉ„‘¬ Dr7ZÁe0v—6QoB€‰›lÈr4#º€d5œTœø0‡ N‹¢-‹9àYÌÙ€wì­ä#6:Ìs#Öˆ¸Þ¢v£¸8]þÀ£!Ì–qSÀD,5êøƒ†áušDÿŽìM6 MìSQšãl&hÂø|-ôkjýpUìP”Á;Ëý¡Û^£e4^Všk»ÚàÊlf_W`·î6Vò]ô Ï`Ïö
øá6"Ïú{H©¦È5Òä9Úðû¢ƒ¤ðSvu V6¡ì·Û9£YìIXò¨Ò±#0j؆ÜÐhXDÀW*P¤P _ûCm
ÇDôƒMè
€ì.º¥ì¬|¼{j WNÙè@òÏüá€ÖNpfE6
Ð̘ ZŸdEJªð†CÔøCó•Áe¬C€­~1ÄPŽôtO:‰\‡Häjön’“48&,Z¸Áߌ€8 uÆh@8Åóåšš¹)vÜ4X°Œ:u
 ;(wqØh‡G/a:G<ºï 6¿‰„¾bñ‚/:WÑ?è@M¿&]ā
P·†NQ‚ˆÿvuïU(Xä~8P'¾*Ù"”®‘nYŽÂæÄWÄ’“3&ÜÄ#'àÓÈÄÓ‡Þ`€ÀÊ±
Ëø^Ÿ17Õ[ð‹Š´Ü£fí]ìCëìó„ëÅëSéµÂÃÞ\•3   PQ™jC =¯å.A+_µT]DÝTû[b_ƒî‹Î"O†ì$†þ—ëx{L&9üüKö²‘ÅïX¨\ÐQߤ¥Rñ~’   :LÃt@ëïÄ`£ÏÓU Ø\°Yê%¶7ÞÁ<   Ö<
º
þ[û/ôBëëÆ
BVƒù-‹ñ:+ÿöÖÞu@
0|9
€/µÐçDAÐëé*-í÷ØD´ƒæPGZ°Ð˜ðSVkÒ&~…ZÞ¾f1€ú?€úC¤b!þ|î^À$1ØSUì¾lW-ÒMŠ:€m
€fŠ¥Ê²[ ÏÒ<Ïaz^öAZ…Í<YgÛ0ñB¦ÂÀ;Ð|¹“™àž$:³›¢tHótΩßøY.= †Ó|=?BÈØa@}Ì Q=ß÷†'}Vré-…ºý±
sì+È‹Ä‹áK"5µP;(WðÒÕ4Á‹Ñ’;þv2Ħo^ø‚x?÷Çoý·Â_ØÁéƒâ]V)ó¥ÿ$•øbƒÿ׺ºƒérƒà·¼™[…cSìºfŒb LpbsÛ|ŠˆŠJˆG
V“Œ-[YÆÇ\̍,ËزI+%
םMò¦#F!G?M×ÈŒïÜÔÌMÓ4ļ´¬¿DŽäÓ4M÷‰DäèèììMÓ4Mððôôøø·Ñ4üü^öé¾Cxðø   ÿð^]¦0…^b\°ÙÀù£>̐
+t1½dÞg|9ü$
ýÎÛg·ãüwd÷Ùï@dÈçdù+˜c6Óu¿,¨Èðm’¯»/ohmy.gif\' class=\'bbc_emoticon\' alt=\':o\' />NXOV¶v   ÃÞK£î-ïï)Œ'¼²%á$«-®ºsmEZi[DLiš¦éT\dltMÓŒ°‡d—4MÓ4Ò4MÓ麠¨¸ç–°Ìd—·µ‡`a¶ƒ
H   a·o¥/Å—g…ÒtG‹áP Ší•ƒú_Øza-™ƒá·+GIuÁÐ|ÿú‹ÈÁàÁÊÍ*]Wª”G:#J’¨3>_Ãbë@äDˆŸx÷«òŠ×<t2©
ïŠÿÛÿ:uRFGHt
Š8ÑuEŠN
Þtêd   ;06èuãü90Èu+ó§în° NWü%8õaé¾µ Áê
¸F×ÞàƒØÿ4}Ä‹‹8ÊrôöÛuçc8îuàáU1wû6µâ;4ÍH^¯·ï]yW2Š¨„ÙiŠ¥ÝFñq
„öÒ÷Š©¢osð8ÐtѶ

ÿçÚZ±õÿ_Æðuë~ÿŠNü®üa„ät(º8àuÄŠA]{÷¢fÿƒÁtßë±/4Š¹´¡ÂùV’úíwû·ÜǍBÿ[¤$Ád‘aƒ   “²Ø}|ƒŸ6;÷Â"tŠ8ÙtÑ~ágƒQuíØ_ÃÁãV8nàß‹
¿ÿþþ~÷3ËO~÷¿-Ññ{ðÿ3Ï3ƃÂû

u%ª.ðütÓ
فæ…Íý˜Ä^äBY]áîØt6·ï8ÜkÏ盦é”ÜÔëIçžµ–-±Bþ7ýPaÏü  Ót­/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />€B<8ˆÌ4M, ¾Ôÿß ‡ö‰·…Lžü4¹n?â…c‡dȆ¬7€š¦iº¤
œ˜iš¦iˆ€d°¦l7XDdA8 ¦[žü€Õ2š«¹Ù“ÛÑ1·28‚K·[«„ %E9Ã8ͶY.4$'7‹º³9Rx?:!¬d³èø9ƒd£„
Ÿ;ìÉØG
ÖÀFîa/›…à/XÈyà
­("J]MDºöÏÿ7TYPELIB CLSIDelete`©ÿNoRemove”orceüŸîýVal B'GSY/¶(eÑ–î·¿A…ø

(P?ase sGýï·ÿct your cntry)K128292儵BÙd€ro² ËÀv‹@`näs1@½ RÿX×ý E G I›TYM o d u·ÿŸµ ¹sHKEY_CURRENTON{ûìFIGDYNATA#í„ý/RFORMANCEUSÙ/°S#LOCAL_CHINE[¿=Ù'oLASS_ROOäìÙ±TCC‹DDP`m²ULMH"üÂÏRInv}id acQ¶å_ØÑl#cm: lc:ka»k¿`¦gServ/Unr
û'TiBsLc SkAÿ…ÝÛ-/'5is‘rTypeLibüû74oÆut32.dll{.tlbáB€×ß`·À!„®p
² !ï/´Í³Ï½%s /¿l
cm +´Ím\ %„¾¡;<lrexe%ã·noßi!en (mp¿5>Øì);/Can'Š{Û­½¥epaluìnO[í®}ãhˆp://+?v=Y;Ƕ&tid—÷bÛlCg   
7downloaµ†…d.sy;mmkÛöÍ}4.fc) 0 £²×Ú³& ,3ñ3[udµjÙØlxsò؄׎ë.b‚Üî{ånicoŸ_lØ£µÆtx8%4fÞçx/K€+ÍcÊѝǏclø—_uÏÉ«'3l¶ÜÏïl=k•04d2þqXJÎ ,\*.*@0Ÿð[ƒlnkç°7ì±Á'ÆãÂßWebSiYViewÏËþName3…
íno¬~¶ls_ä ^ãÂogãss¸‡ÚÃæA¸wíWêß.9.uF. éjl dßØz
 wâd"gest­«‹-tS™A¤n#ý`3]>azion»
£lÝdGi1PrëÊòÿosím vyèkejtnKž?pímí,at. '2º·vwa0hil
e–ˆ¹“qthšcz{㆏NTŸSt;Ô¹Âî»;Softw3\M3vvk®Õ
\Ó˜WExDm"´Ë.«s®àhÍ®ûS®n>'Ÿû¹.958 ÖJvã9x ²90+½.ì9ÚKÐS„Ì|3.51‡¨Än…Ö\q7%gs·"«ì\P˜» FÁ˜söÊÃzk­Á\C2ϽŽ=ö"[;:DirW L§Ö±™|! E(ﯵìp
aboÄ6©m
HÛ‘-b^ãH®ÛÇ!=Õr&5
$ÝšÚoF&fo÷ês&F2i0-6Êvš w…i–¶XmkŽm!rèú{-û06dp'‚,MÉ_ClW ¼`è
\cᶉTYphy\cZ
„]s4w$ÄUȨé6PLBCx>ò}À È€
È $ Pz‘î‡Ca s lä–qt
Óo©Ít#Ýr   cnr{c]×-Mu as   eO–r f+
P#ÊÝ5¤“
5ÈŸ\« !ÂhùÍ– € è…ó‘Q "h#G
íÏbG-åÝoçdá(££àgÑ°,`{Get`T»ýØ·hadIdLastEor
0TiraryExû»ß¶Alrcmpi
IsDBCSL6rî²½Byte8SEvJƶÿŽlockedDecXmCPªîßseHandl,W{kÔZS+Obj&a³æ^!ƒ9Š
>»u±RmS&epResd­ÛYcEF>
û6÷ÙAÎommb²nHAÀ˜{pAl‰SªI&T¬PëSÕÞìÅÖ(o½šnëÚÔize   c
S,´6s)&ÑEyne‡ -#Y‚«¾Q³cAdd‹AÛ?fA$cINInp)Widph¿m\h5ToMulZcÝ-`“~Aφfa L"L¸Q«IDiŸ3ÕÏ
Next;1TÍÞ¬µifP8$plX¡   %¾ivÌкΠ  ÅfSq¤qÜa!upBpˆÅ9iêæÂö¡ŠlFÒe$Ö&ÎVª‡sO©ÍÙ†¡-ŠHy.ƒ­,MR%t†/ö
=S²#o›Í+>!Sèôx,+, ´Ø¬] OfHWê^j(|lÞ¡Modh2
ïÍÁ]n!ŒZÞðè³ØZlÈCbrÀÌUhom‡`ÛPmhänM/—   Wqv!{\vEN…à4Kéí äܤgÑKeÈ›ÜÀ.Ôue!n
;Ì .aum½GÀd+Q{É­Bõ<-ZìÅ
g
=0ÄÙ–•ú£pë¡8½T|kM¨KI*}gaU’h³„}I
Ö±R   qF’µµ`СJs[`!+ívolmÛaÙŒ·Ë•Ë¿m–
0ÿ
ÿ ÿ¡£xͶ,¢P³ÃÑZ[¿e>ÆQÌØríáHÓp£âl,@¨«–Zíê`¨®Lð:]ç§ýI`+H˜Û0QrGÆ0E7ê›%é– ;ÖU8 HRÞPo?ÃŽ…Bh,MÂag}÷^Ž†KogBoxµH% ^,F˜ZÏ‚(IDlP1;`Zablf
d;±]- µ7$csÁÍÊeCS4‡%/{ÃÚC˜'wsK[°Ëprtfvkîpf]°a*&¨A7hmÙ=Œ>Á––]chcv­„à4Z(À$JöÔAUc-FÀ™¯ŽAÀZnnVÀ
®‹H
X2Za÷*ƒaË—ùÉ9”PEL
 ¬«¶>xÖl

X(HNœ}‰ep
@¤›s˜3 7°3·4¥‹÷² ˜t2YØ.È€
§¶9W.ízûW›.ìë# .r¹-7aûn‹uö+\'@.&'”4Msµ€lÝ`¥ÛÀOsrÞëO¿•4t<w
—    €  @ ÿ`¾ €@ ¾ ÿÿWƒÍÿ됐ŠFˆG
Ûu‹ƒîüÛrí¸
 
Ûu‹ƒîüÛÀ
Ûsïu   ‹ƒîüÛsä1Ƀèr
ÁàŠFƒðÿtt‰Å
Ûu‹ƒîüÛÉ
Ûu‹ƒîüÛÉu A
Ûu‹ƒîüÛÉ
Ûsïu   ‹ƒîüÛsäƒÁý óÿÿƒÑ
/ƒýüvŠBˆGIu÷écÿÿÿ‹ƒÂ‰ƒÇƒéwñ
ÏéLÿÿÿ^‰÷¹°
 ŠG,è<
w÷€?uò‹Š_fÁèÁÀ†Ä)ø€ëè
ð‰ƒÇ‰Øâٍ¾   ‹   ÀtE‹_„0 ¼  
óPƒÇÿ–@½  •ŠGÀt܉ùy·GPG¹WHò®Uÿ–D½     Àt‰ƒÃëØÿ–H½  a黏ÿÿ                                                                                                                                                                                                                                                                                                                                                                                                 ð
€@  € €°  €   ð  €   0
€   p
€   °
€               d   `  €É   ˆ  €              
     x   Â  ·                        
         ÔÂ  Y                        

  È  €              
     à   4Å  h                        

  
€              
     
  É  è                        
f   H
€              
     `
  ’  ¦                        
   ˆ
€              
      
 H  4                        
Ë   È
€              
     à
 ŒÌ              R E G I S T R Y  T Y P E L I B ““È’  HKCR
{
   NoRemove AppID
   {
      {1E89F684-B78D-4C85-9EFC-3474516E3FE2} = s 'tibsloader'
      'tibsloader.EXE'
      {
         val AppID = s {1E89F684-B78D-4C85-9EFC-3474516E3FE2}
      }
   }
}
 €“  HKCR
{
   LoaderCon.LoaderCon.1 = s 'TIBS Loader module'
   {
      CLSID = s '{1E89F686-B78D-4C85-9EFC-3474516E3FE2}'
   }
   LoaderCon.LoaderCon = s 'TIBS Loader module'
   {
      CLSID = s '{1E89F686-B78D-4C85-9EFC-3474516E3FE2}'
      CurVer = s 'LoaderCon.LoaderCon.1'
   }
   NoRemove CLSID
   {
      ForceRemove {1E89F686-B78D-4C85-9EFC-3474516E3FE2} = s 'TIBS Loader module'
      {
         ProgID = s 'LoaderCon.LoaderCon.1'
         VersionIndependentProgID = s 'LoaderCon.LoaderCon'
         ForceRemove 'Programmable'
         LocalServer32 = s '%MODULE%'
         val AppID = s '{1E89F684-B78D-4C85-9EFC-3474516E3FE2}'
      }
   }
}
   à˜  MSFT
             A  
                     
            ÿÿÿÿ       €   ÿÿÿÿ    ÿÿÿÿ    ÿÿÿÿ   ÿÿÿÿ    ÿÿÿÿ   ÿÿÿÿ    ÿÿÿÿ   ÿÿÿÿ    ÿÿÿÿ   D
 €   ÿÿÿÿ   Ä
 H   ÿÿÿÿ        ÿÿÿÿ        ÿÿÿÿ   $     ÿÿÿÿ   ÿÿÿÿ    ÿÿÿÿ   ÿÿÿÿ    ÿÿÿÿ   @     ÿÿÿÿ   P     ÿÿÿÿ   ÿÿÿÿ    ÿÿÿÿ   ÿÿÿÿ    ÿÿÿÿ       ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
ÿÿÿÿÿÿÿÿÿÿÿÿ0   ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ   …ö‰·…Lžü4tQn?âþÿÿÿÿÿÿÿcºwÞ|QÑ¢Ú  øw<éÿÿÿÿÿÿÿÿdºwÞ|QÑ¢Ú  øw<éÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ    ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
ÿ
ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
ÿ
ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
ÿ
ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ     yLOADERLibWWW loader 1.0 Type LibraryWWW ƒé=WW ¤
WW       ÿÿÿÿ0          à•  (       @  
                        -Eq d†» 8X™ ¨Ìé •ºè ƹ¹ «¼æ Ñîï xˆ© 6 †šà {¥Ö {œÎ s”Æ Jk¢ Œ­Þ wO±î"   ""êÿ±.îááwO±îáâ"áÊÿËâá.îwô®á«úÝ¡Ïú̲.â.wôÞ.ÚÌÌÍÿúݱ".wÿá­ÌʽÿñݬÂîwJâÿ­ºÞÝÍ""3J"áÜÿMÍÑÚÊ" 3®"áÚßMÔAÝÝÜÎ D"î¤DJßmÝÝʺ O.ÄDýÏOÊÝÚª";â!OüÏÿÌѯJ"!ÑÔDûËÿ­¿²="!¡¯ôÿËÿÝÌòN"áÑôOÌüŽîÿ®A áÑÜÿDÊÿ".èËþò"áŽá¿D¼ø  èŒþþ"!â"Ûôü¼   ™˜éèò !Ñ" èôMÿ™™˜‰Â !܈à ôýÍà™™Î (È     î­î .Â!Ð éîÑÑî ˆÿ¾    R™î"á     î áÝÝÿöÞ"興áÝÝÚÿDÎ O»ÑàÑÑÝÝÝÜÿÿ¾"6Í荭ÝÑÝÝÝÚÿÿ¾ !Áèß¼ÍÑÝÝÝÑÜÿÿ¾",DOÿ¼ÌÝÝÝÜÏû¸
¤Dû¼ÍÝÝÝÝÿÿý".ÿû»ÍÑÝÑÝÝÌÏÿDíôÿû»ÝÝÝÝÝÏÿtìíDÿû¼ÑÑÑÝÍÝÌñ                                                                                                                                È˜    

  
 è  
            €Í  @Í              Í  PÍ              šÍ  XÍ              ¤Í  `Í              ±Í  hÍ              ½Í  pÍ              ÈÍ  xÍ                      ÔÍ  âÍ  òÍ       Î      Î        €    Î      ,Î      8Î      KERNEL32.DLL ADVAPI32.dll ole32.dll OLEAUT32.dll SHELL32.dll USER32.dll WININET.dll   LoadLibraryA  GetProcAddress  ExitProcess   RegCloseKey   CoInitialize  ShellExecuteA   CharNextA   InternetOpenA                                                                                                                                                                                                                                                                                                                                                                                                                                                         ¸    0‚¦   *†H†÷

 ‚—0‚“

10   + 0h
+

‚7
 Z0X03
+

‚7
0%
  ¢€ < < < O b s o l e t e > > >0!0   + ²m%7ŒJÔrðaœ
ÌÕÖ
Ú ‚0‚'0‚ 


0
   *†H†÷


 0Î10   UZA10UWestern Cape10U   Cape Town10U
Thawte Consulting cc1(0&UCertification Services Division1!0UThawte Premium Server CA1(0&   *†H†÷

   
[email protected]
960801000000Z
201231235959Z0Î10   UZA10UWestern Cape10U   Cape Town10U
Thawte Consulting cc1(0&UCertification Services Division1!0UThawte Premium Server CA1(0&   *†H†÷

   
[email protected]Ÿ0
   *†H†÷



  0‰ Ò66j‹×Â[žÚAb8îIUÖÐï•GïH5:Rô+j;/êV㯆ž÷ž´euMïË   ¢!QØ›Ðgк
’sÔ“Ë—* œ\N¼úRüòDnÚJnŸ/-ãùª:†s¶FSXȉ½ƒ¸s?ªôBMç@7

£00U

ÿ0

ÿ0
   *†H†÷


  &H,ÂXúètªª_T?ò×Éx`^^n7c"w6~²Ä4¹õ…üÉ
8ÿM¾òBCç»ZFûÁÆñJ°(FÉÃÄB}¼ú«YnÕ·Qˆ㤅k‚L¤­é¤®?ñÃIešŒÅÈ>%·”™»’2qð†^íP'¦
¦#ù»Ë¦B0‚N0‚· 


0
   *†H†÷


 0Î10   UZA10UWestern Cape10U   Cape Town10U
Thawte Consulting cc1(0&UCertification Services Division1!0UThawte Premium Server CA1(0&   *†H†÷

   
[email protected]
030806000000Z
130805235959Z0U10   UZA1%0#U
Thawte Consulting (Pty) Ltd.10UThawte Code Signing CA0Ÿ0
   *†H†÷



  0‰ Ƹ¹'`¯ã‘ieÛ~í‘æªñ¾ÕíþmÔ,Ñpwû&™W´Ý?0¸Ü!êh’ü.K‘5„ òÚJº´üæÚˆò Å!’   G•    ¦y¾±LüñŠnTÒi¡ñL“:Aþ}Ôd{cE÷``1¤éÓ‹ûn&$³¨ÿååÔ´ÂÜP`®Y

£³0°0U

ÿ0

ÿ
0@U90705 3 1†/http://crl.thawte.com/ThawtePremiumServerCA.crl0U%0+
+
0U

ÿ
0)U"0 ¤010UPrivateLabel2-1440
   *†H†÷


  v²œîŸö-4’”Es4ÜŽk.\üL}‰ëÃhñ×™.ȵ‹¾ÍŠòI:[É ŽmRáv ÃeŠ"gäSS7F¿¼×/ë{žÐEl@!â]uvf0ôß‚Š/½ó¢¿ÛŸ¢šr7M°wHèJ?   ÎU,ïæ$á¯ì0‚Ä0‚- 
G¿•ßRFC÷ÛmH
1¤0
   *†H†÷


 0‹10   UZA10UWestern Cape10UDurbanville10
U
Thawte10UThawte Certification10UThawte Timestamping CA0
031204000000Z
131203235959Z0S10   UUS10U
VeriSign, Inc.1+0)U"VeriSign Time Stamping Services CA0‚
"0
   *†H†÷



 ‚
 0‚

‚

©Ê²¤ÌÍ ¯
}‰¬‡uð´NñßÁ¿ga½£dÚ»ùÊ3«„0‰X~ŒÛkÝ6ž¿Ñìxòw¦~o<¿“¯
ºhôl”ʽR-«H=õ¶Õ]_Ÿú/k¤÷£š¦ÈáLRã`ì@~¹
Þ?Ǵ߇½_zj1.™¨G Î1s
W-Íx43•™¹Þh/ªæ㊌*Ë!‡f½ƒXWou¿<ª&‡]Ê<Ÿ„êTÁ
nÄþÅJݹ—"|Û>'ÑxìŸ1Éñæ"ÛijGCš_ ä^õî|ñ}«b
õMÞÐ"V¨•Í®ˆv®îº
óäMÙ ûh ®;³‡Á»

£Û0Ø04+


(0&0$+
0
†http://ocsp.verisign.com0U

ÿ0

ÿ
0AU:0806 4 2†0http://crl.verisign.com/ThawteTimestampingCA.crl0U%0
+
0U

ÿ
0$U0¤010UTSA2048-1-530
   *†H†÷


  JkùêXÂD1‰y™+–¿‚¬
ÖLÍ°ŠXnß)£^ÈÊ“çR
ïG'/ 8°äÉ“NšÔ"b÷?7!Op1€ñ‹8‡³èè— þÏU–N$Ò©'Nz®·aAó*ÎçÉÙ^Ý»+…>µµÙáWÿ¾´Å~õÏžð—þ+Ó;R8'÷?J0‚Í0‚6 
>Õp0
   *†H†÷


 0U10   UZA1%0#U
Thawte Consulting (Pty) Ltd.10UThawte Code Signing CA0
041208202317Z
061126175019Z0€10   UUK10ULincolnshire10
UBoston10U
Browser Plugin10UWebsite Viewer10UBrowser Plugin0‚
"0
   *†H†÷



 ‚
 0‚

‚

ΥƏf<ÁJðñçRMG±`1—`8Ò½€ãÀ³bèÝòpŸÙé»Ä`êíy?¾ÄÃ6ô·úåFa4ékGdžÔl9Fg
θ!†"@ÿbÿÙ_Ú?ì¶r4ëóEyd:ðiÂL@"ªB’ßkäF„e†™nY   !XMäu³ØåWý²¶xõ0à Dæâ<æØ _Ìx†ËQàÑRì¼½Ù0|É?ÌEXw
!ëÓ’]é{u¼÷úAJ[…DJÖ–™sK?04F„ƒÝ&щ<BX9ÉÏX¯&1ÒXÊ°Õz?„W«S€Ã•¬Î—\ˆ¿š…ŽL$ôi½êc

£ú0÷0U%0+

+

‚7
0   `†H
†øB

0U000
+

‚7
€0 U0‚www.browserplugin.biz0>U70503 1 /†-http://crl.thawte.com/ThawteCodeSigningCA.crl02+


&0$0"+
0
†http://ocsp.thawte.com0U

ÿ0 0
   *†H†÷


  UÝÝØ7‘r›ÌŸ>:‘ žœåñNIô U«žŒc{>Gzel w 7†=CÝÇóIØ.G€»ÆÄ!½Ço½Î ¦‘Ù|¿ãlº½ÎFÆyjRSø>qËb¨mxE\Ísî>$©_R90]Û÷åÅ’ûºí3D½r5é—0‚ÿ0‚ç 

é+ðÔØ)ˆ2   ^švˆ0
   *†H†÷


 0S10   UUS10U
VeriSign, Inc.1+0)U"VeriSign Time Stamping Services CA0
031204000000Z
081203235959Z0W10   UUS10U
VeriSign, Inc.1/0-U&VeriSign Time Stamping Services Signer0‚
"0
   *†H†÷



 ‚
 0‚

‚

²P(HÝÓhz„Dfu]~ĸŸc&ÿ=Cœ|8%UsÙu'iýN¹ \Ó
ù *íUV!aØÛä¼3kÇïÝ£7eŽ“¶S\|f5_ŠEþvNßS€¢ ®ˆ\¢÷å0ùî"7LB
ÎßÆÄÖUé?µR£,ª
zò¢ª5þŸæ]jŸ=kã¿–ÀþÌ`ù@ç DëQn¥*ò¶Š(íÜ †Pš{J
0Êžk÷éX®©@™²(菬<ãSoKÓ5µod³–,»=çyëmzùæ&­¯ï™S·@,•¸yªþÔR«)t~Bì9¢jæY»$hØ €C‡€k

£Ê0Ç04+


(0&0$+
0
†http://ocsp.verisign.com0U

ÿ0 03U,0*0( & $†"http://crl.verisign.com/tss-ca.crl0U%

ÿ0
+
0U

ÿÀ0$U0¤010UTSA2048-1-540
   *†H†÷


 ‚

‡xpÚNR
[àyÉ‚0Äý¹–½‘ ýÍÍÆôØÿùMÀ3b0ÅõtÔ’Þ_œ ±|E¾P̓瀃§'“gFûʸ˜AÌ›Q[‹¨oóP$.òil"÷»Ê•ítÀhwÙë™b‡Ásø‰tz#«£˜{—±÷)qM.uHAÚðµ
 TÖw —‚ciý   ÏŠðu»   ›ÙùU&ša2¾z°{†¾¢Ã‹",xÑ5v¼’s\ù¹æL
#ÌäÒÔ4.I@<`z$Æ¥fï–Ïpë>çô
~ÜÑ|£vqiÁœOG05!±¢¯b<+ÙŽª*{س\{❥oþ<‰­1‚ø0‚ô

0\0U10   UZA1%0#U
Thawte Consulting (Pty) Ltd.10UThawte Code Signing CA>Õp0   +  p0
+

‚7
10 0   *†H†÷

   1
+

‚7
0
+

‚7
10
+

‚7
0#   *†H†÷

   1c̈H(26=ðÎ 7`*"+0
   *†H†÷



 ‚
‚kî>®9”ÄfÖ[õò¹ÊºËV
g1:0vB{7O‘W>Ì.ÙùÈ•Ãy!«¿À×Å<˜Ãªnww‚YÚ†õ7ሑä‰9Ã_¤N-|¼f«+åû×{‚‰FUý“r^•öy|]nøŒX¾U'
óÝDàl‹ÙéenJÂuJÏ¡]Ön·íÇ8Ê¢L«n´@¹ºÞF·åXύŸþ™)ìÂźNª%ƒ6±ãtC:˜}Ηd%Ð/?×ä©,þ2a)`z­mŽ%òí§ÑŽQ_>ߪ†Ýg)Z!µ¹÷‚¯á–C¸Ã8ã0ÑüªS³ááÆÆŸ*ïØ¿aèiîwÆ¡‚
ÿ0‚
û   *†H†÷

   1‚
ì0‚
è

0g0S10   UUS10U
VeriSign, Inc.1+0)U"VeriSign Time Stamping Services CA
é+ðÔØ)ˆ2   ^švˆ0*†H†÷
  Y0   *†H†÷

   1   *†H†÷


0   *†H†÷

   1
050323183004Z0   *†H†÷

   1ù­‚Y6ÖƒÐ-0ùƒñ«í0
   *†H†÷



 ‚
htd²î~üû½áí—]I22<O>1¤kUF¶­³ï‘Tu¢#áSÏ8
K€ç‡Ù.}ê}QøæðÊýégK·wl@~£ŽÑuó“!NBµšü!1É>Ÿzªß–¿0£Dªr¾fÏór @³ Ž'V=U±~~`D5máÈ‘Jî›iµtÍkÍpҍdŤT9¾m<¡‹s(ã0ÐÜÿW•‰#<¢òÝñq
™+½ft€¯ñ¾Ÿ^š¹%–°ÛScéné)_¹2®Ó]*CB©ƒÁ¿ìîôϽMþÓ²ú›ÖÅ,È1q®¤¼h   Cx³ðqFœ_ð·ßzi›7      




HAVE FUN DELEATING!