Solved

Hacker Is Alive and Well AFTER Reformat, New Firewall, Etc....

Posted on 2004-08-27
18
2,556 Views
Last Modified: 2013-12-04
I'm back. So is the hacker.  Never left, actually.  A month ago I wrote in about these people - one calls the other Sneely. (I've been out of commission, hence the delay in solving this problem) I have followed your advise to reformat (system recovery) on Windows XP Home.  It has not been successful.  They are still there, in System 32, and have again taken over my system boot up password, Norton, CD RW drive, scandisk, and the printer (probably the floppy drive, too, didn't check).  I was able to get some data on CD before they found out, and printed one file.  Not sure if any of it could help catch them.  This all started quite awhile ago, and I was the perfect victim who knew nothing.

So, before going online, I installed Zone Alarm Pro4 Firewall, Spy Subtract (this program is excellent!). Norton's firewall seems to be worthless. All my programs are up-to-date.  I am NOT on wireless, my PC is stand alone now (no roommate PC linkage for DSL), I moved my residence and now have ComCast cable (was SBC DSL at last reformat).  I was on my PC a few hours only, mainly searching through the System files, trying to get info about these people.  When I found out they were operating in System 32, that's when everything came to a halt.  

So, I learned that system recovery reformat did nothing, as all the hacker's files and programs were still there on boot up. There are a couple hundred files including notepad notes to each other about what to do.  I believe they are bootlegging software on my PC.  Found a certificate program that creates a digitally signed certificate with a date valid from 5/13/04 to 7/13/05 (I bought the PC on 8/25/03).  There is everything in there for making all kinds of programs. They have installed lots of programs I didn't buy with the PC or since:  Photo Shop, Python, Wild Tanget, Softex, FunWeb, tons of Active X's, Java, PS2,  Don't really understand why they can't do this on their own PCs - could you explain?

Why did recovery not work???  I got the usual alerts (3 times) that all data would be lost.  Not so.  I have still not re-installed any of my document files since the LAST recovery a month ago.

I have literally watched a file name change to another one while I just sat there!  This is all with NO CONNECTION TO THE INTERNET.  

I already had Adaware, Norton anti virus, Hijack This, and Spy Bot  on my PC, still there after reformat.  Why?

What I did:  Before going online:  System Recovery.  Installed Zone Alarm and configured.  Installed SpySubtract and configured.  Ran Adaware, Spy Bot, HiJack This.  Disabled almost every single Service.   They use ctfmonConnected to internet and proceeded to update Norton antivirus - it had problems doing this, probably becuase the hackers' pre-set programs were trying to stop it.

I found out that they change a file's name in order to make it look like a SpySubtract or other good program's component - and fooled me into accepting an active network that I can't delete with the IP address of 169.254.0.0./255.255.0.0   This was through SpySubtract, which I was refusing access to everything I thought was bad.  These people have set up programs that run themselves and anticipate and stop anything I do.  They are using Remote Procedure Call and Remote Access Connection Manager, which I was unable to disable in Services.

Also, back on 7/20/04, I wrote down something that may be important:  
There were 6 logon process names:
RASMAN
K Sec DD
Winlogon\MSGina
Winlogon
LAN Manager Workstation Service
CHAP

And, received a message:
"a notification package has been loaded by the Security Account Mgr.  This package will be notified of any account or password changes.  Not. Pak Name:  scecli"
"a trusted logon process has registered with the local security authority.  Logon Processname:  Winlogon\MsGina"
"authentication package loaded - name: c:\WINDOWS\SYSTEM32\MSV1-0.dll:MICROSOFT AUTHENTICATION PACKAGE_v1_0"
Plus, 6 more additional ones were sent that I didn't write down....  (printer disabled)

What can I do now?  Reformat does nothing.  How can I get my PC back?  I am afraid to contact the company with my service agreement because I am suspcious that they might have installed this on the PC before I even got it home.   I had problems soon after purchase and I was (mostly still am) totally unknowledgeable about this stuff.  Thought Norton firewall and virus and a spam program was all one needed.  Ha!  BestBuy sold me the PC and, dumb me, I let them install and set up the system for a meer $20.  Never again.  Could one of their employee's be doing this???

A few possible indentifying things to help find these people (all found on my PC):
The Terminator (software made by Matt Gerrans of Key Concepts, Inc)
Sleep (also by Gerrans)      DOES ANYONE KNOW OF HIM?
The URL:  http://us8.hpwis.com  (they redirected my IE to that)
RASMAN is now the administrator of my PC  (probably means nothing, just a code)
Sneely gets notebook files sent to him.
Another IP:  24.7.91.0/255.255.255./28
And another:  169.254.0.0./255.255.0.0
redirected home page:  www.microsoft.com/isapi/redir.dll?prd=ie8clcid=0x0409&pver=6.0&ar=home

I have 100 or so files saved on a CD. No idea what, I was saving as fast as I could anything I could.  I can look later when don't have to PAY to be online at Kinkos.  

I have one 36-page file called ims, saved on CD and printed out.  Here is a sample of this file:
"the list of shared files to uninstall in the event of remove all or uninstalling the last component..."
"Sneely, uninstall obsolete files"
"this is a section containing all the destination directories" (with list following"
"[k2.  iis_smtp_k2_files_mail_docs], with long list of gif and html files such as: xmo_10.gif, moc04_31.htm, refwelcm.htm, smtpcfg.hlp"
"This is a section containing all the registry to metabase operations.  The format of the paramenters are as follows: (with long list following this)"
"This section contains a list of all controls that have to be registered.....files like:
%_INETSRV%\smtpadm.dll"

"sneely: changed to add media strings here.  Note that [strings] must be the last section in this file
cdname = "windows XP Home Edition CD-ROM"
productname = "Windows XP Home Edition"
bootname1 = "Windows XP Home Edition SP1 Setup Book Disk"
etc...etc...

I could print out some of the other files I have on CD.  Should I do this?  Any possible hope of getting these people?  I am so pissed.  There must be a way!

Sorry for the very long message - was trying to give as much info as possible and also perhaps some will learn something from this mess.  I want my PC back.  What do you recommend?

P.S.  SpySubtract kicks butt.  I highly recommend it.  Sorry, folks, but Adaware didn't help me too much.  And Zone Alarm firewall appears to leave Norton in the dust.

Thanks once again for all that you can do to help.  
Li
0
Comment
Question by:Marili
  • 5
  • 4
  • 3
  • +4
18 Comments
 
LVL 12

Assisted Solution

by:rossfingal
rossfingal earned 110 total points
ID: 11921622
Hi!

I feel your pain!!
I'm posting this a "last resort" type of solution.
You should wait for a while and see if anyone else here can post
some possible resolutions to your problem.

It's very strange that you did a reformat/reinstall and these idiots are still present!?!
As a LAST resort - download the low-level format utility from the manufacturer(s)
of your hard drive(s) - NOTE! - this utility is manufacturer specific; and, sometimes, MODEL specific!
Meaning: if you have a Seagate drive, do not run Western Digital's low-level format
utility on it! - probably, end of hard drive (or, at least, problems)!

Here's a list of hard drive manufacturers websites:
Fujistu (http://www.fujistu.com/)
Hitachi (http://www.hitachi.com/) IBM (http://www.ibm.com/)
Maxtor (http://www.maxtor.com/) / Quantum (http://www.quantum.com/)
Samsung (http://www.samsung.com/)
Seagate (http://www.seagate.com/)
Western Digital (http://www.wdc.com/)

After you perform a "low-level" format, you'll have to use f-disk to recreate partitions and
then format the partitions (not with the "low-level" utility!).
Then you'll have to do a complete reinstall of your operating system - with all service packs, patches, fixes, etc..
This process wipes a disk to a very clean state.

Remember - I'm only presenting this as an "Absolute Last Resort"!!
Caution!

As far as files you have saved - I would be concerned that these clowns may have infected any of these
files with something.
Therefore, if you restore something it may reintroduce the infection!

Good luck!
RF
0
 
LVL 13

Expert Comment

by:kenfcamp
ID: 11921747
> This is all with NO CONNECTION TO THE INTERNET.  

Does this mean you were not on a website, or that your computer was not connected period.

What type of connection do you have.

If broadband/DSL is there a phone line plugged into your modem?

When this happens, and "IF" there is a phone line connected to your PC , plug the line into a phone and do a *66 and see if you can get a number. But only "after" it happens, or is happening.
0
 
LVL 13

Expert Comment

by:kenfcamp
ID: 11921765
additionaly I'd also run netstat to grab any connection information available
0
 
LVL 8

Assisted Solution

by:KerryG
KerryG earned 40 total points
ID: 11923795
If you have no outside connection, then this is not physically possible. Unplug any network cable and any modem cable. At that point there is no way for anyone to access your machine.

From another machine, go download the following tools (plus all the updates available) and burn them to a CD.

AVG Anti-Virus (http://www.grisoft.com)
Spybot Search and Destroy 1.3 (http://www.safer-networking.de)
AdAware 6 (http://www.lavasoftusa.com/)
Windows XP Service Pack 2 (http://microsoft.com/windowsxp)

Install and run the tools in this order: Spybot, AdAware, AVG, SP2

When you are finished, the tools they used to get in should be gone and further access to your system should be protected against.
0
 
LVL 1

Expert Comment

by:Alien3
ID: 11926393
I would suggest you to real format from the boot disk and do not ever connect to internet till you applied all patches and firewall.  
 

I think you were infected by some worms or viruses.  

0
 

Author Comment

by:Marili
ID: 11928145
Thank you, first of all, for the compassion.  I appreciate it very much.  It helps dry up a few of the tears.  I feel so helpless at this point, I have tried everything and I don't understand why this is happening when everyone I talk to seems to think it is impossible.  However, now I get a white screen,  I can right click on it to do a few measly things, both CD drives are totally disfunctional, was able to load only one CD - Zone Alarm, before they disabled everything, worse than before. They have control of Zone Alarm - the buttons are "lightened" and unclickable.

I was and still am 100% guaranteed disconnected from the internet - the electrical connection and the other one into the modem - both unhooked, laying on the floor.  My service is with ComCast cable.  No DSL, no dialup, I don't even have a phone line into my place!  I reformated using the 6 CD's I made after I bought the PC (it didn't come with any).  It took about an hour to do this.  All my stuff was gone.  But not these guys, they have preprogramed programs HIDING somewhere on my PC.  

COULD THEY BE IN DRIVE D?  

They then proceeded to disable my RW drive so I can't install any other spy programs, nor can I install my internet provider CD - so I can't even go online if I wanted to.  

What I don't get is....they can't go online either....right? .... so they are doing "all this stuff" on my PC, waiting for me to go online, so they can download it - even if they have to wait for months, or forever.  It makes no sense to me either.  But believe me, I am not imagining what is happening.  

Is it possible for them to get their stuff from my PC remotely, without internet?  This is what seems to be the case.

rossfingal, I have no idea how to do the low level format idea, I'm sure to mess that up badly.  Scares me.  

QUESTION:  Even though I was blocked from doing this, if I could have, how am I supposed to apply the patches and virus updates WITHOUT GOING ONLINE??   The minute I do, even if a miracle occurs to lose they guys, won't they just be right back?  Doesn't Microsoft have to be on your computer to figure out what updates you need?

QUESTION:  Can I reformat Drive D?  Also, could my PC have been infected from the place I bought it?

QUESTION:  Would it be cheaper to buy a new harddrive?  Do I have to buy two?  One for C and one for D?  Would this get rid of them for sure?  Except that I wouldn't have an operating system, right?  It seems like my computer is just garbage...

Thanks for your help.  

Li
 



0
 
LVL 8

Assisted Solution

by:KerryG
KerryG earned 40 total points
ID: 11928281
I really hate to beat this into the ground but if you do not have a network cable plugged in and you do not have a modem line plugged in, and you do not have a wireless card, then there is no way anyone can have access to your system, it just isn't physically possible for someone to control your machine unless they have some means of accessing it.

There is NO POSSIBLE WAY for them to access your machine without it having some kind of connection. Your best bet is a clean install. When the screen asks you to choose a partition, be sure and delete the existing ones and create new ones, that should whack any remaining pieces you didn't get before. Install Windows XP Service Pack 2 right away and you should be safe.
0
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 50 total points
ID: 11928465
It sounds like you have a second partition - D, that not being reformatted.  If that's the case, then their control files are likely on that partition.  A factory restore doesn't normally touch the D drive since most of what the restore does (at least the new PCs) is just reformat C and use information from D to rebuild the C drive.

If you are committed to cleaning this up once and for all this is what to do:

1)  Download a bootdisk with CD ROM support from here (use a Win95 disk): www.bootdisk.com
2)  Run FDISK choose large disk support and remove all your partitions.
3)  Create a Primary DOS partition and use the whole drive.
4)  Format it.
5)  Boot with your XP Home CD and select the newly created partition to install on.
6)  Make sure to select the option to convert the file system to NTFS.
7)  Go online immediately after this and install SP2 and any other patches it may require.
8)  Install any new drivers that may not have been installed previously.
9)  Install all of your applications - including Antivirus first.

Boot into safe mode and change the Administrator Password to something complex - by default it's blank.  Write it down and store it somewhere for safe keeping.

Make sure your account has a strong password also.

0
 
LVL 2

Accepted Solution

by:
Scorp888 earned 300 total points
ID: 11929120
Actually it sounds like you didn't actually refomat the drive and reinstall, you just went back to an earlier date with System Restore.

Now that's fine, if you can tell me the exact date your machine got rooted.

Other than that.

Get Service Pack 2, downloaded from a trusted PC, and get it put onto CD.
Get Mozilla Firefox, and or full mozilla itself and put them onto a CD.

http://www.mozilla.org

Take your documents and burn them onto CD to.

Delete everything on the hard drive.

At some point windows will crash, don't worry.

Reinstall Windows XP, and when it asks, reformat the hard drive.

Then, still with no internet connection.

Disable autoplay on your cd-rom drives.

(Double click on the My Computer icon on your desktop until it opens.

Then gently click on your CD / DVD Rom Drive just until it becomes highlighted.

Then click on the word File, which is contained in your top tool bar area.

This will pull down a menu for you to now click on Properties.

Then click on the Auto Play tab at the top of the screen.

Notice how you can adjust settings for Music CDs, Music Files, Pictures, Video Files and Mixed Content.

Now select one of these multimedia types by using the pull down arrow to the right with your mouse.

Then for each multimedia type, use your mouse to encircle the Select an action to perform: option.

To disable that multimedia type, click on the Take no action icon at the bottom of the screen.

Now click on the Apply button at the bottom of the screen to save your changes.

Continue in the above fashion for each multimedia type, choosing the Take no action option.

And ensure that you also click on the Apply button at the bottom of the screen to save your changes.

Once all options are set to your choosing, click on OK button to exit the CD Drive Properties window.

Repeat the above procedure on any additional CD Rom Drives you have in your system.

Note: If you feel you have made a mistake, you can click on the Restore Defaults icon at any time.



Reinstall your virus checker.

If you don't have one, buy one from the shelf of the local computer shop,

Norton Anti-Virus, or McAffee.

Scan each of the CD-roms you put into your machine.


Reinstall your programs.

Now at this point, I'll state the obvious, just in case.

If you've got a pirated copy of Office XP, this is where your hackers are perhaps getting in, likewise for Photopshop etc.

So if you're not 100% legit, and from original installer media, i.e an Adobe CD-Rom, then don't install it at this point.

Ok, so now legit software and windows XP is installed.

The full SP2 from Microsoft is applied.

Can be downloaded from here.

http://www.microsoft.com/downloads/details.aspx?FamilyId=049C9DBE-3B8E-4F30-8245-9E368D3CDB5A&displaylang=en

Remember this should have already be downloaded and put on CD-rom.

Again, be paranoid, scan the CD-rom, and scan the area is unzips to.

Next, scan the CD of your documents with the virus checking software.

At this point.

We're firewalled and virus checked. But not up to date.

However, we do know we're at a good point, so create a system restore point.

WE KNOW this is good, so make a note of it.

Ok, so check that the firewall is in place, with NO EXCEPTIONS.

That's the wording MS use in service pack 2.

Right, next take the mozilla CD, and load that up.

Remove the big old Blue E from the desktop and quicklaunch, you're not going to use it except for a last resort.

Ok, go online and update the virus checking software.

Go offline.

Recheck the machine, and the CD-ROMS you burnt.

Next stage for me, would then be to update windows from windowsupdate.microsoft.com

Again, if we're good, then create a system restore point.

Put your documents back on the PC and scan them.

Download your favourtie spyware/malware detectors.

I run a combination of Adaware and Spyware Detect and Destroy.

Scan the machine.

Now, if you're still clear.

Do a system update and install the rest of the applications you need, each time, look for odd behaviour.

0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 2

Expert Comment

by:Scorp888
ID: 11961976
has this worked? Did this solution fix your problem?
0
 
LVL 2

Expert Comment

by:Scorp888
ID: 12022587
do you need any more help on this? Did my solution work for you? Were any of the apps infected?
0
 

Author Comment

by:Marili
ID: 12209293
Scorp888, this is an excellently-written, detailed plan.  I'm so sorry to be so long in responding, please don't think I'm a total flake.  I had to move twice in 2 months (is that absurd or what?) my father is dying and have to help my mom.  And been waiting for 4 weeks for new CDs from HP that NEVER ARRIVED, still haven't.

Finally found out the problem - my restore CDs were corrupt - I made them 3 days after bought the PC.  The trojans got in fast. Had Norton virus and firewall loaded AT THE STORE where I bought it.  Grrr!  

Recently a trusted source gave me a pirated CD, and at this point, what the h--l else am I to do?  I completely re-formated drive C and D and then installed it on C.  It was nice and clean and wonderful - for a few days.  

I might still have to use your instructions because this stupid virus/trojan/hacker is back!  I think I might really be insane now.

The way I know, but want to be sure and check with you, is that the light is flashing like crazy ALL THE TIME, when I'm doing nothing.  Some flashes are really bright, and also makes the noises that you hear when telling PC to do something.  That is not normal, right??

I printed Hijack This and the Faber Toys reports below.
What I did:  formatted C and D; installed Windows XP with SP2.  Looked at the Program, System, and System 32 files to see what was there and hopefully NOT there.  Was way less stuff than before and seemed clean.  Installed Zone Alarm Firewall; Norton firewall and virus; Adaware; Spy Subtract; PC Powerwash.
Configured to max security on all and ran them all.  Hooked up printer and installed MS Word.  Installed horrible AOL via free CD to get online, installed Norton virus updates(lots) and Microsoft updates(few)  Ordered DSL service (will be hooked up Oct 6)
Checked Windows firewall, it works fine.  Seems to be no problem with 2 firewalls.  Someone told me they have 2 with no prob.  Downloaded Hijack this and Faber Toys.  Heard IE was bad, so downloaded Opera, but haven't been able to get it to work.  Cleaned up services a lot via run/services.msc (per blackviper.com's XP configurations for happier computer user).  I have not loaded any documents or CDs that I burned, only purchased CDs except the XP.  I think that's it.  Been going online with AOL dialup.  Not using IE.

Do you think I need to reformat and re-install again?   What is hphmon04.exe? It's always on with a bright green light icon.  Thanks.

Logfile of HijackThis v1.98.2
Scan saved at 2:47:08 PM, on 10/2/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\PCPOWE~1\PopUpKiller.exe
C:\Program Files\interMute\SpySubtract\spysub.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\PCPOWE~1\PopUp.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\PCPOWE~1\PopUpKiller.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\spysub.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D368B08F-13EF-414A-88B9-E86496AD44CD}: NameServer = 198.81.17.4
....

File generated by FABER TOYS (Version 2.6 - Build 50)
Date: Saturday, October 02, 2004 - 1:24:49 PM
Program created by Faber
--------------------------------------------------------------------------------
Dependencies of winlogon.exe - Memory: 10.69 MB - Priority: High
Windows NT Logon Application
Version 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
(C:\WINDOWS\system32\winlogon.exe)
--------------------------------------------------------------------------------

69 Modules loaded by winlogon.exe
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Name                                                                                                               Date      Size      ActiveX  Version                                     Description
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
C:\WINDOWS\system32\ADVAPI32.dll                                                                                   8/3/2004  602.5 KB  No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Advanced Windows 32 Base API
C:\WINDOWS\system32\Apphelp.dll                                                                                    8/3/2004  124 KB    No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Application Compatibility Client Library
C:\WINDOWS\system32\AUTHZ.dll                                                                                      8/3/2004  55.5 KB   No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Authorization Framework
C:\WINDOWS\system32\Cabinet.dll                                                                                    8/3/2004  58.5 KB   No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Microsoft® Cabinet File API
C:\WINDOWS\system32\CLBCATQ.DLL                                                                                    8/3/2004  489.5 KB  Yes      2001.12.4414.258                            
C:\WINDOWS\system32\COMCTL32.dll                                                                                   8/3/2004  597 KB    No       5.82 (xpsp_sp2_rtm.040803-2158)             Common Controls Library
C:\WINDOWS\system32\comdlg32.dll                                                                                   8/3/2004  270.5 KB  No       6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)   Common Dialogs DLL
C:\WINDOWS\system32\COMRes.dll                                                                                     8/3/2004  773.5 KB  No       2001.12.4414.258                            
C:\WINDOWS\system32\CRYPT32.dll                                                                                    8/3/2004  583.5 KB  No       5.131.2600.2180 (xpsp_sp2_rtm.040803-2158)  Crypto API32
C:\WINDOWS\system32\cscdll.dll                                                                                     8/3/2004  99.5 KB   No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Offline Network Agent
C:\WINDOWS\system32\cscui.dll                                                                                      8/3/2004  319 KB    Yes      5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Client Side Caching UI
C:\WINDOWS\system32\DNSAPI.dll                                                                                     8/3/2004  145 KB    No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    DNS Client API DLL
C:\WINDOWS\system32\GDI32.dll                                                                                      8/3/2004  271.5 KB  No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    GDI Client DLL
C:\WINDOWS\system32\IMAGEHLP.dll                                                                                   8/3/2004  141 KB    No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Windows NT Image Helper
C:\WINDOWS\system32\iphlpapi.dll                                                                                   8/3/2004  92.5 KB   No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    IP Helper API
C:\WINDOWS\system32\kernel32.dll                                                                                   8/3/2004  960.5 KB  No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Windows NT BASE API Client DLL
C:\WINDOWS\system32\MPR.dll                                                                                        8/3/2004  58.5 KB   No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Multiple Provider Router DLL
C:\WINDOWS\system32\MSASN1.dll                                                                                     8/3/2004  56 KB     No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    ASN.1 Runtime APIs
C:\WINDOWS\system32\MSGINA.dll                                                                                     8/3/2004  971 KB    No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Windows NT Logon GINA DLL
C:\WINDOWS\system32\msv1_0.dll                                                                                     8/3/2004  126.5 KB  No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Microsoft Authentication Package v1.0
C:\WINDOWS\system32\MSVCP60.dll                                                                                    8/3/2004  404 KB    No       6.02.3104.0                                 Microsoft (R) C++ Runtime Library
C:\WINDOWS\system32\msvcrt.dll                                                                                     8/3/2004  335 KB    No       7.0.2600.2180 (xpsp_sp2_rtm.040803-2158)    Windows NT CRT DLL
C:\WINDOWS\system32\NDdeApi.dll                                                                                    8/3/2004  17.5 KB   No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Network DDE Share Management APIs
C:\WINDOWS\system32\NETAPI32.dll                                                                                   8/3/2004  324.5 KB  No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Net Win32 API DLL
C:\WINDOWS\system32\ntdll.dll                                                                                      8/3/2004  691.5 KB  No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    NT Layer DLL
C:\WINDOWS\system32\NTDSAPI.dll                                                                                    8/3/2004  65.5 KB   No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    NT5DS
C:\WINDOWS\system32\NTMARTA.DLL                                                                                    8/3/2004  116 KB    No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Windows NT MARTA provider
C:\WINDOWS\system32\ODBC32.dll                                                                                     8/3/2004  244 KB    No       3.525.1117.0 (xpsp_sp2_rtm.040803-2158)     Microsoft Data Access - ODBC Driver Manager
C:\WINDOWS\system32\odbcint.dll                                                                                    8/3/2004  92 KB     No       3.525.1117.0 (xpsp_sp2_rtm.040803-2158)     Microsoft Data Access - ODBC Resources
C:\WINDOWS\system32\ole32.dll                                                                                      8/3/2004  1.2 MB    Yes      5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Microsoft OLE for Windows
C:\WINDOWS\system32\OLEAUT32.dll                                                                                   8/3/2004  540.5 KB  Yes      5.1.2600.2180                              
C:\WINDOWS\system32\PROFMAP.dll                                                                                    8/3/2004  27 KB     No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Userenv
C:\WINDOWS\system32\PSAPI.DLL                                                                                      8/3/2004  22.5 KB   No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Process Status Helper
C:\WINDOWS\system32\RASAPI32.dll                                                                                   8/3/2004  231 KB    No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Remote Access API
C:\WINDOWS\system32\rasman.dll                                                                                     8/3/2004  60 KB     No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Remote Access Connection Manager
C:\WINDOWS\system32\REGAPI.dll                                                                                     8/3/2004  48.5 KB   No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Registry Configuration APIs
C:\WINDOWS\system32\RPCRT4.dll                                                                                     8/3/2004  567.5 KB  Yes      5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Remote Procedure Call Runtime
C:\WINDOWS\system32\rsaenh.dll                                                                                     8/3/2004  149 KB    Yes      5.1.2600.2161 (xpsp.040706-1629)            Microsoft Enhanced Cryptographic Provider
C:\WINDOWS\system32\rtutils.dll                                                                                    8/3/2004  43 KB     No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Routing Utilities
C:\WINDOWS\system32\SAMLIB.dll                                                                                     8/3/2004  62.5 KB   No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    SAM Library DLL
C:\WINDOWS\system32\Secur32.dll                                                                                    8/3/2004  54.5 KB   No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Security Support Provider Interface
C:\WINDOWS\system32\SETUPAPI.dll                                                                                   8/3/2004  960.5 KB  No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Windows Setup API
C:\WINDOWS\system32\sfc.dll                                                                                        8/3/2004  5 KB      No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Windows File Protection
C:\WINDOWS\system32\sfc_os.dll                                                                                     8/3/2004  137 KB    No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Windows File Protection
C:\WINDOWS\system32\SHELL32.dll                                                                                    8/3/2004  8.0 MB    Yes      6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)   Windows Shell Common Dll
C:\WINDOWS\system32\SHLWAPI.dll                                                                                    8/3/2004  462.5 KB  No       6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)   Shell Light-weight Utility Library
C:\WINDOWS\system32\SHSVCS.dll                                                                                     8/3/2004  131.5 KB  Yes      6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)   Windows Shell Services Dll
C:\WINDOWS\system32\sxs.dll                                                                                        8/3/2004  696.5 KB  No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Fusion 2.5
C:\WINDOWS\system32\TAPI32.dll                                                                                     8/3/2004  177.5 KB  No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Microsoft® Windows(TM) Telephony API Client DLL
C:\WINDOWS\system32\USER32.dll                                                                                     8/3/2004  563.5 KB  No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Windows XP USER API Client DLL
C:\WINDOWS\system32\USERENV.dll                                                                                    8/3/2004  706.5 KB  Yes      5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Userenv
C:\WINDOWS\system32\uxtheme.dll                                                                                    8/3/2004  213.5 KB  No       6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)   Microsoft UxTheme Library
C:\WINDOWS\system32\VERSION.dll                                                                                    8/3/2004  18.5 KB   No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Version Checking and File Installation Libraries
C:\WINDOWS\system32\wbem\fastprox.dll                                                                              8/3/2004  461 KB    Yes      5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    WMI
C:\WINDOWS\system32\wbem\wbemcomn.dll                                                                              8/3/2004  209.5 KB  No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    WMI
C:\WINDOWS\system32\wbem\wbemprox.dll                                                                              8/3/2004  18.5 KB   Yes      5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    WMI
C:\WINDOWS\system32\wbem\wbemsvc.dll                                                                               8/3/2004  42.5 KB   Yes      5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    WMI
C:\WINDOWS\system32\WINMM.dll                                                                                      8/3/2004  172 KB    No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    MCI API DLL
C:\WINDOWS\system32\WINSCARD.DLL                                                                                   8/3/2004  97 KB     No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Microsoft Smart Card API
C:\WINDOWS\system32\WINSPOOL.DRV                                                                                   8/3/2004  143 KB    No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Windows Spooler Driver
C:\WINDOWS\system32\WINSTA.dll                                                                                     8/3/2004  52.5 KB   No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Winstation Library
C:\WINDOWS\system32\WINTRUST.dll                                                                                   8/3/2004  172.5 KB  Yes      5.131.2600.2180 (xpsp_sp2_rtm.040803-2158)  Microsoft Trust Verification APIs
C:\WINDOWS\system32\wldap32.dll                                                                                    8/3/2004  168 KB    No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Win32 LDAP API DLL
C:\WINDOWS\system32\WlNotify.dll                                                                                   8/3/2004  90.5 KB   No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Common DLL to receive Winlogon notifications
C:\WINDOWS\system32\WS2_32.dll                                                                                     8/3/2004  81 KB     No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Windows Socket 2.0 32-Bit DLL
C:\WINDOWS\system32\WS2HELP.dll                                                                                    8/3/2004  19.5 KB   No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Windows Socket 2.0 Helper for Windows NT
C:\WINDOWS\system32\WTSAPI32.dll                                                                                   8/3/2004  18 KB     No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Windows Terminal Server SDK APIs
C:\WINDOWS\system32\xpsp2res.dll                                                                                   8/3/2004  2.8 MB    No       5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)    Service Pack 2 Messages
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll  8/3/2004  1.0 MB    No       6.0 (xpsp_sp2_rtm.040803-2158)              User Experience Controls Library


MODULES NOT LISTED ABOVE
--------------------------------------------------------------------------------
C:\WINDOWS\system32\winlogon.exe
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 12209818
Hi!  Marili

Sorry to hear about you're father - been through that.
What can I say?!?

This line shows that you've got Msconfig going under what's called "Selective Startup" -
run Msconfig and choose "Normal" startup, reboot then -
post a new HJT log  
This line  ->  O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
So we can see what's really going on (hopefully!)
Any questions - just ask.

Regards..
RF
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 12209823
Oops - that might be "Diagnostic Startup"??!!
0
 

Author Comment

by:Marili
ID: 12223254
Here is my Hijack This run after changing startup.  The light on the PC runs ALL THE TIME, when I am doing  nothing.  I didn't request Java, Quicktime qt task, messenger, spool\drivers\hpztsbo7, hphmon04 to run.  Towards the end is extra button CD67F990-D8E9.  What is THAT?  I thought I turned messenger off.

Logfile of HijackThis v1.98.2
Scan saved at 6:39:17 PM, on 10/4/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\system32\hphmon04.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\PCPOWE~1\PopUpKiller.exe
C:\Program Files\interMute\SpySubtract\spysub.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\PCPOWE~1\PopUp.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\PCPOWE~1\PopUpKiller.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\spysub.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D368B08F-13EF-414A-88B9-E86496AD44CD}: NameServer = 198.81.17.4

0
 
LVL 2

Expert Comment

by:Scorp888
ID: 12240963
Good to hear you're back online, sorry to hear about your problems.

Ok, it sounds like you've done the first part of my suggestion.

Have you done a system restore (save) so you can go back to that if things don't work out? That would be my next suggestion.

Also when you say flashing light, what exactly do you mean, on your screen, or a light on the pc?
0
 

Author Comment

by:Marili
ID: 12253925
Hi again, and thanks.  I was thinking, this is getting very long and drawn out, should I start a new question so I can give you the points?

Haven't done system save, I will try to do that.  The partitions got changed, not sure if I know how to now.  The light is on the PC (it's orange) not the screen.  The light that indicates the PC is "doing something."

What did you think of the HijackThis file?

I'm barely online - actually not really.  The AOL is giving me major problems and almost never will go to the website I want.  I'm losing my time at the library...bytee
0
 
LVL 2

Expert Comment

by:Scorp888
ID: 12268407
Ok.

If the problems are not related to your original question, or are fairly specific, then I'd ask them as seperate questions.

If you feel that they are still under your original question, then ask away here.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now