Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

this one's a doozy ...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

this one's a doozy ...

Unread postby ccinmfd » July 21st, 2006, 10:13 am

My son has been at it again ... after all day on the computer yesterday, July 20, we have been infected by at least surfsidekick, if not others ... right now, no applications will boot up ... not even in Safe Mode ... when I get to my empty desktop, I call up task manager, and no applications show in the applications window, although I can browse, very slowly, and find items on the desktop, etc ... from Task Manager, but they get frozen when I attempt to bring anything up ... basically, my home computer is in "useless" mode ... please help .... thanks ... ccinmfd
ccinmfd
Regular Member
 
Posts: 77
Joined: February 4th, 2006, 11:35 am
Location: Milford, CT
Advertisement
Register to Remove

Unread postby random/random » July 21st, 2006, 12:09 pm

I assume this means HijackThis won't run?

If so, then please bring up taskmanager, click on the processes tab and write down the processes that are present there and post that list back here

If HijackThis will run, then please post a HijackThis log

Post back with either a HijackThis log or a list of processes
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

basically ... yes ...

Unread postby ccinmfd » July 21st, 2006, 1:30 pm

... I was able to find HiJackThis and it began to run ... very, very slowly ... a lot of adware websites were ID'd in the first category ... but it took a long time to analyze ... got to the 23's in the categories ... and then basically froze up ... along with the two other windows still up in the background, including Taskmaster ...

... as I'm no longer using the home computer, I will go home and review what the processes tab shows me, per your instructions, and answer back ... thanks ... ccinmfd
ccinmfd
Regular Member
 
Posts: 77
Joined: February 4th, 2006, 11:35 am
Location: Milford, CT

... next step ...

Unread postby ccinmfd » July 21st, 2006, 3:18 pm

OK ... so many processes were running, it was impossible to get HiJackThis to do anything but almost start up before everything froze ...

here are the processes that were running ...

cmd.exe (replaced later at the top by firefox.com)
taskmaster
rundll.32
explorer.exe
rundll32.exe
redistributor.exe
system.exe
rundll.exe
dfndred_7.exe
rtvscan.exe
netmon.exe
MDTM.EXE
Kodakccs.exe
AppServices.exe
defwatch.exe
cvpnd.exe
alotpspd.exe
comand.exe
aoltsmon.exe
spoolssu.exe
alg.exe
MSG3YS.EXE
svhost.exe
svhost.exe
InCDsrv.exe
svhost.exe
svhost.exe
svhost.exe
lsass.exe
winlogin.exe
csrss.exe
smss.exe
adservice.exe
svchost.exe
kybrded_7.exe
nunmed_7.exe
system
systemIdleProcess

... that's the list of processes running on taskmaster ... plus it keeps trying to add new hardware when I don't have any new hardware ....thanks ... ccinmfd
ccinmfd
Regular Member
 
Posts: 77
Joined: February 4th, 2006, 11:35 am
Location: Milford, CT

... next step ...

Unread postby ccinmfd » July 21st, 2006, 3:18 pm

OK ... so many processes were running, it was impossible to get HiJackThis to do anything but almost start up before everything froze ...

here are the processes that were running ...

cmd.exe (replaced later at the top by firefox.com)
taskmaster
rundll.32
explorer.exe
rundll32.exe
redistributor.exe
system.exe
rundll.exe
dfndred_7.exe
rtvscan.exe
netmon.exe
MDTM.EXE
Kodakccs.exe
AppServices.exe
defwatch.exe
cvpnd.exe
alotpspd.exe
comand.exe
aoltsmon.exe
spoolssu.exe
alg.exe
MSG3YS.EXE
svhost.exe
svhost.exe
InCDsrv.exe
svhost.exe
svhost.exe
svhost.exe
lsass.exe
winlogin.exe
csrss.exe
smss.exe
adservice.exe
svchost.exe
kybrded_7.exe
nunmed_7.exe
system
systemIdleProcess

... that's the list of processes running on taskmaster ... plus it keeps trying to add new hardware when I don't have any new hardware ....thanks ... ccinmfd
ccinmfd
Regular Member
 
Posts: 77
Joined: February 4th, 2006, 11:35 am
Location: Milford, CT

Unread postby random/random » July 21st, 2006, 4:00 pm

Use task manager to end these processes:


redistributor.exe
system.exe
dfndred_7.exe
netmon.exe
MDTM.EXE
alotpspd.exe
comand.exe
spoolssu.exe
MSG3YS.EXE
kybrded_7.exe
nunmed_7.exe
firefox.com

If after that you are able to use the computer at a reasonables speed, please do the following
Download and unzip BFU.zip from here.
Run the program and click the Web button as shown by the blue arrow below:
Image

Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/alcanshorty.bfu

Execute the script by clicking the Execute button.

If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html

Then reboot and if possible post a HijackThis log and tell me how the computer is now running

If you can't post a HijackThis log, then please post another list of processes
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

... log

Unread postby ccinmfd » July 21st, 2006, 7:51 pm

Logfile of HijackThis v1.99.1
Scan saved at 7:45:53 PM, on 7/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\Q2hyaXMgQ2Fycm9sbA\command.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\rundll.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\carrollc\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,tfwoxiu.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [keyboard] c:\\kybrded_7.exe
O4 - HKLM\..\Run: [defender] c:\\dfndred_7.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [newname] c:\\nwnmed_7.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [NwCplMonitor] C:\WINDOWS\system32\redistributor.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\Poker.exe (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\Program Files\System Files\plugin.dll
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\m4460ehseh460.dll (file missing)
O20 - Winlogon Notify: logons - C:\WINDOWS\system32\redist.dll
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\mv4ql9h51.dll
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\m4460ehseh460.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2hyaXMgQ2Fycm9sbA\command.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: rundll.exe - Unknown owner - C:\WINDOWS\rundll.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
ccinmfd
Regular Member
 
Posts: 77
Joined: February 4th, 2006, 11:35 am
Location: Milford, CT

... second reply ...

Unread postby ccinmfd » July 21st, 2006, 7:55 pm

... the only way to run my email to use my home computer was to close Explorer using Task Manager ... but I was able to use the brute force program and post a HiJackThis log, see previous message ... rebooting, however, did not fix the problem of applications not loading ... nothing on the desktop ... I have to use task manager to open anything ... and pop-ups disrupt me sending this message to you ... when I went to erase the items from processes, I was not successful for many, and others were not there that were there the first time ... anyways ... I'm here ... and at least I do not have to go to work to post a message to you ... ccinmfd
ccinmfd
Regular Member
 
Posts: 77
Joined: February 4th, 2006, 11:35 am
Location: Milford, CT

Unread postby random/random » July 22nd, 2006, 1:24 pm

Ok, I'm going to need to ask you to repeat some steps you've already done

Use task manager to end these processes:

redistributor.exe
system.exe
dfndred_7.exe
netmon.exe
MDTM.EXE
alotpspd.exe
comand.exe
spoolssu.exe
MSG3YS.EXE
kybrded_7.exe
nunmed_7.exe
firefox.com

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Download and unzip BFU.zip from here.
Run the program and click the Web button as shown by the blue arrow below:
Image

Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/alcanshorty.bfu

Execute the script by clicking the Execute button.

If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html


Restart

Post back with the combofix log, a new HijackTHis log and tell me how the computer is runnning now
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

... making progress ...

Unread postby ccinmfd » July 22nd, 2006, 9:05 pm

... well, my desktop icons are back ... I still seem to get pop-ups in Explorer ... but not after this restart so far ...

New HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:53:53 PM, on 7/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\rundll.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\v1201.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\America Online 9.0a\waol.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\carrollc\Desktop\HijackThis.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\America Online 9.0a\shellmon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\Poker.exe (HKCU)
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.media-motor.net/cabs/joysavsht.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: rundll.exe - Unknown owner - C:\WINDOWS\rundll.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe


New Combo fix log:

Start Time= Sat 07/22/2006 20:05:36.03
Running from: C:\Documents and Settings\carrollc\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{FE87C499-C233-4C50-8368-20E03AB2E0B3}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\clsid\{FE87C499-C233-4C50-8368-20E03AB2E0B3}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{FE87C499-C233-4C50-8368-20E03AB2E0B3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{FE87C499-C233-4C50-8368-20E03AB2E0B3}\InprocServer32]
@="C:\\WINDOWS\\system32\\nntshell.dll"
"ThreadingModel"="Apartment"

Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

20:06:40.32

Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst


Qoologic uninstaller found and executed
Registry entries fixed


(((((((((((((((((((((((((((((((((((((((((((((((( Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\carrollc\Application Data\Sskknwrd.dll.ren
C:\Documents and Settings\carrollc\Local Settings\Temporary Internet Files\Ssk.log.ren
C:\Program Files\SurfSideKick 3\Ssk.exe.ren
C:\Program Files\SurfSideKick 3\SskBho.dll.ren
C:\Program Files\SurfSideKick 3\SskCore.dll.ren
C:\WINDOWS\Prefetch\SSK.EXE-20EC298C.pf.ren
C:\WINDOWS\Prefetch\SSKUPDATER3.EXE-32506128.pf.ren


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


C:\Documents and Settings\carrollc\Local Settings\Temporary Internet Files\Ssk.log.ren

20:09:53.92
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\drsmartload.exe
C:\drsmartload1.exe
C:\drsmartload292a.exe
C:\drsmartload45a7a.exe
C:\drsmartload45a7c.exe
C:\drsmartload46a7a.exe
C:\drsmartload46a7c.exe
C:\drsmartload849a7a.exe
C:\drsmartload849a7c.exe
C:\dfndrdd_6.exe
C:\dfndred_7.exe
C:\nwnmdd_6.exe
C:\nwnmed_7.exe
C:\kybrddd_6.exe
C:\kybrded_7.exe
C:\WINDOWS\newname.dat
C:\WINDOWS\keyboard1.dat
C:\MTE3NDI6ODoxNg.exe
C:\MTE3NDI6ODoxNgnew.exe
C:\warebundle3.exe
C:\warebundlenewer.exe
C:\Documents and Settings\carrollc\Local Settings\Temp\Temporary Internet Files\Content.IE5\UZIF23ME\MTE3NDI6ODoxNg[1].exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\MTE3NDI6ODoxNg.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\Program Files\network monitor
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\WINDOWS\Q2hyaXMgQ2Fycm9sbA


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))



2006-07-22 19:25 <DIR> C:\Program Files\mozilla firefox
2006-07-22 19:22 236,678 C:\WINDOWS\system32\p04u0ah9ed4.dll
2006-07-22 19:22 235,738 C:\WINDOWS\system32\mdpmsp.dll
2006-07-22 18:56 1,253 C:\WINDOWS\win.ini
2006-07-22 18:01 235,738 C:\WINDOWS\system32\psrfctrs.dll
2006-07-22 11:03 235,658 C:\WINDOWS\system32\o448lehu1h48.dll
2006-07-22 10:13 50,912 C:\WINDOWS\iconu.exe
2006-07-22 09:51 235,738 C:\WINDOWS\system32\g6jolg1316.dll
2006-07-22 09:24 236,777 C:\WINDOWS\system32\mv84l9lq1.dll
2006-07-22 09:23 235,658 C:\WINDOWS\system32\ihaksie.dll
2006-07-21 22:08 235,430 C:\WINDOWS\system32\mvrql9951.dll
2006-07-21 20:28 <DIR> C:\Documents and Settings\carrollc\Application Data\talkback
2006-07-21 19:58 24,296 C:\WINDOWS\icont.exe
2006-07-21 19:01 235,393 C:\WINDOWS\system32\iydsm_s.dll
2006-07-21 14:21 236,340 C:\WINDOWS\system32\gpnql3551.dll
2006-07-21 14:12 159,744 C:\WINDOWS\system32\redist.dll
2006-07-21 14:12 126,464 C:\WINDOWS\system32\redistributor.exe
2006-07-21 14:11 27,648 C:\dist13.exe
2006-07-21 14:11 <DIR> C:\Program Files\system icons
2006-07-21 14:11 <DIR> C:\Program Files\system files
2006-07-21 14:11 <DIR> C:\Program Files\cas2stub
2006-07-21 11:01 235,437 C:\WINDOWS\system32\i060lajm1doa.dll
2006-07-21 09:01 236,747 C:\WINDOWS\system32\gp20l3fm1.dll
2006-07-21 01:31 366,592 C:\WINDOWS\system32\bk.exe.ren
2006-07-21 01:23 236,012 C:\WINDOWS\system32\mvnul9591.dll
2006-07-21 01:20 235,037 C:\WINDOWS\system32\u2ru0c99ef.dll
2006-07-21 01:15 235,393 C:\WINDOWS\system32\edent.dll
2006-07-21 00:46 237,037 C:\WINDOWS\system32\m446lehs1h46.dll
2006-07-21 00:46 235,396 C:\WINDOWS\system32\n66q0gj5e6o.dll
2006-07-21 00:46 235,393 C:\WINDOWS\system32\wwbhits.dll
2006-07-21 00:43 234,272 C:\WINDOWS\system32\mvls31.dll
2006-07-21 00:40 234,272 C:\WINDOWS\system32\autxprxy.dll
2006-07-21 00:29 20,480 C:\dra.exe
2006-07-21 00:24 235,317 C:\WINDOWS\system32\dn0401dqe.dll
2006-07-21 00:24 234,916 C:\WINDOWS\system32\nntshell.dll
2006-07-21 00:18 <DIR> C:\Program Files\msn
2006-07-21 00:18 <DIR> C:\Program Files\common files
2006-07-21 00:17 110,592 C:\WINDOWS\v1201.exe
2006-07-21 00:17 <DIR> C:\Program Files\windows media player
2006-07-21 00:16 578,560 C:\installer3.exe
2006-07-21 00:16 48,190 C:\rdfx4.exe
2006-07-21 00:16 30,208 C:\ss1001newer.exe
2006-07-21 00:16 234,272 C:\WINDOWS\system32\mzcorier.dll
2006-07-21 00:16 234,272 C:\WINDOWS\system32\mmasn1.dll
2006-07-21 00:16 14,848 C:\stub_113_4_0_4_0newer.exe
2006-07-21 00:15 234,272 C:\WINDOWS\system32\dnr0019me.dll
2006-07-20 23:40 78,336 C:\WINDOWS\wnu_114.exe
2006-07-20 23:11 234,617 C:\WINDOWS\system32\hr4o05h3e.dll
2006-07-20 23:01 <DIR> C:\Program Files\Common Files\uffw
2006-07-20 22:02 1,111,040 C:\WINDOWS\univer.exe
2006-07-20 20:10 <DIR> C:\Program Files\inetget2
2006-07-20 20:06 <DIR> C:\Program Files\ipwins
2006-07-20 19:58 <DIR> C:\Program Files\tclock
2006-07-20 18:41 <DIR> C:\Program Files\Common Files\{644f1b91-05fd-1033-0423-020121020001}
2006-07-20 18:17 236,022 C:\WINDOWS\system32\dn8s01l7e.dll
2006-07-20 18:17 235,103 C:\WINDOWS\system32\dnl8013ue.dll
2006-07-20 18:17 234,781 C:\WINDOWS\system32\lv0q09d5e.dll
2006-07-20 18:09 242,230 C:\siteerror.exe
2006-07-20 18:09 20,480 C:\stub_sca3.exe
2006-07-20 18:08 8,464 C:\WINDOWS\system32\sporder.dll
2006-07-20 18:08 50,688 C:\WINDOWS\ndnuninstall6_38.exe
2006-07-20 18:08 266,240 C:\nnscaa638.exe
2006-07-20 18:08 20,480 C:\da.exe
2006-07-20 18:06 41,336 C:\wd7gi8nnew.exe
2006-07-20 16:36 1,200,640 C:\WINDOWS\rundll.exe
2006-07-20 16:36 1,200,640 C:\win0.exe
2006-07-17 10:55 <DIR> C:\Documents and Settings\carrollc\Application Data\microsoft
2006-07-16 12:46 33 C:\WINDOWS\quark.ini
2006-07-15 03:08 458,046 C:\WINDOWS\system32\perfstringbackup.ini
2006-07-12 14:40 116 C:\WINDOWS\nerodigital.ini
2006-07-12 12:08 <DIR> C:\Documents and Settings\carrollc\Application Data\imesh
2006-07-05 18:46 <DIR> C:\Program Files\sports mogul
2006-07-04 18:02 <DIR> C:\Program Files\poker.com
2006-06-28 16:52 230 C:\delme.bat
2006-06-24 15:34 <DIR> C:\Documents and Settings\carrollc\Application Data\active disk
2006-06-24 14:52 <DIR> C:\Program Files\iomega
2006-06-17 09:10 <DIR> C:\Program Files\partygaming
2006-06-17 09:08 <DIR> C:\Program Files\ewido anti-malware
2006-06-16 20:58 <DIR> C:\Program Files\internet explorer
2006-06-08 09:21 <DIR> C:\Program Files\america online 9.0a
2006-06-07 13:55 3,626 C:\Program Files\Common Files\mejeh.html
2006-06-02 08:20 <DIR> C:\Program Files\symantec
2006-05-29 19:59 <DIR> C:\Documents and Settings\carrollc\Application Data\ahead
2006-05-20 16:46 209,920 C:\WINDOWS\iun3401.exe
2006-05-19 08:59 94,720 C:\WINDOWS\system32\iphlpapi.dll
2006-05-19 08:59 148,480 C:\WINDOWS\system32\dnsapi.dll
2006-05-19 08:59 111,616 C:\WINDOWS\system32\dhcpcsvc.dll
2006-04-27 17:49 288,417 C:\WINDOWS\system32\srchsts.exe


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-22 19:22 236,678 C:\WINDOWS\system32\p04u0ah9ed4.dll
2006-07-22 19:22 235,738 C:\WINDOWS\system32\mdpmsp.dll
2006-07-22 18:01 235,738 C:\WINDOWS\system32\psrfctrs.dll
2006-07-22 18:01 235,658 C:\WINDOWS\system32\o448lehu1h48.dll
2006-07-22 10:13 50,912 C:\WINDOWS\iconu.exe
2006-07-22 09:58 235,738 C:\WINDOWS\system32\g6jolg1316.dll
2006-07-22 09:50 236,777 C:\WINDOWS\system32\mv84l9lq1.dll
2006-07-22 09:23 235,658 C:\WINDOWS\system32\ihaksie.dll
2006-07-22 09:23 235,430 C:\WINDOWS\system32\mvrql9951.dll
2006-07-21 19:18 24,296 C:\WINDOWS\icont.exe
2006-07-21 19:01 236,340 C:\WINDOWS\system32\gpnql3551.dll
2006-07-21 19:01 235,393 C:\WINDOWS\system32\IYDSM_S.DLL
2006-07-21 14:21 235,437 C:\WINDOWS\system32\i060lajm1doa.dll
2006-07-21 14:12 159,744 C:\WINDOWS\system32\redist.dll
2006-07-21 14:12 126,464 C:\WINDOWS\system32\redistributor.exe
2006-07-21 14:11 27,648 C:\dist13.exe
2006-07-21 11:01 236,747 C:\WINDOWS\system32\gp20l3fm1.dll
2006-07-21 09:01 236,012 C:\WINDOWS\system32\mvnul9591.dll
2006-07-21 01:37 366,592 C:\WINDOWS\system32\bk.exe.ren
2006-07-21 01:23 235,037 C:\WINDOWS\system32\u2ru0c99ef.dll
2006-07-21 01:15 235,393 C:\WINDOWS\system32\edent.dll
2006-07-21 00:55 235,396 C:\WINDOWS\system32\n66q0gj5e6o.dll
2006-07-21 00:46 237,037 C:\WINDOWS\system32\m446lehs1h46.dll
2006-07-21 00:46 235,393 C:\WINDOWS\system32\wwbhits.dll
2006-07-21 00:43 234,272 C:\WINDOWS\system32\mvls31.dll
2006-07-21 00:40 234,272 C:\WINDOWS\system32\autxprxy.dll
2006-07-21 00:24 235,317 C:\WINDOWS\system32\dn0401dqe.dll
2006-07-21 00:24 234,916 C:\WINDOWS\system32\nntshell.dll
2006-07-21 00:24 234,272 C:\WINDOWS\system32\dnr0019me.dll
2006-07-21 00:17 110,592 C:\WINDOWS\v1201.exe
2006-07-21 00:16 578,560 C:\Installer3.exe
2006-07-21 00:16 48,190 C:\RDFX4.exe
2006-07-21 00:16 30,208 C:\SS1001newer.exe
2006-07-21 00:16 234,272 C:\WINDOWS\system32\mzcorier.dll
2006-07-21 00:16 234,272 C:\WINDOWS\system32\mmasn1.dll
2006-07-21 00:16 14,848 C:\stub_113_4_0_4_0newer.exe
2006-07-20 23:40 78,336 C:\WINDOWS\wnu_114.exe
2006-07-20 23:11 234,617 C:\WINDOWS\system32\hr4o05h3e.dll
2006-07-20 22:03 1,111,040 C:\WINDOWS\UNIVER.EXE
2006-07-20 22:01 1,111,040 C:\asd.exe
2006-07-20 18:17 236,022 C:\WINDOWS\system32\dn8s01l7e.dll
2006-07-20 18:17 235,103 C:\WINDOWS\system32\dnl8013ue.dll
2006-07-20 18:17 234,781 C:\WINDOWS\system32\lv0q09d5e.dll
2006-07-20 18:13 20,480 C:\dra.exe
2006-07-20 18:09 583,910 C:\626_101newer.exe
2006-07-20 18:09 242,230 C:\siteError.exe
2006-07-20 18:09 20,480 C:\stub_sca3.exe
2006-07-20 18:08 8,464 C:\WINDOWS\system32\sporder.dll
2006-07-20 18:08 50,688 C:\WINDOWS\NDNuninstall6_38.exe
2006-07-20 18:08 266,240 C:\NNSCAA638.EXE
2006-07-20 18:06 41,336 C:\wd7gi8nnew.exe
2006-07-20 18:05 20,480 C:\da.exe
2006-07-20 16:36 1,200,640 C:\WINDOWS\rundll.exe
2006-07-20 16:36 1,200,640 C:\win0.exe
2006-06-28 16:52 230 C:\Delme.bat
2006-06-24 14:52 86,016 C:\WINDOWS\unvise32.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ADUserMon"="C:\\Program Files\\Iomega\\AutoDisk\\ADUserMon.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"Deskup"="C:\\Program Files\\Iomega\\DriveIcons\\deskup.exe /IMGSTART"
"ACTX1"="C:\\WINDOWS\\v1201.exe"
"Configuration Manager"="C:\\WINDOWS\\cfg32.exe"
"NwCplMonitor"="C:\\WINDOWS\\system32\\redistributor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\Ahead\\NEROPH~1\\data\\Xtras\\mssysmgr.exe"
"AOL Fast Start"="\"C:\\Program Files\\America Online 9.0a\\AOL.EXE\" -b"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Common Files\\mejeh.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\MSN\\polokibob.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"uffw"="C:\\PROGRA~1\\COMMON~1\\uffw\\uffwm.exe"
"CAS2"="\"C:\\Program Files\\System Files\\System.exe\""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
"{644F1B91-05FD-1033-0423-020121020001}"="\"C:\\Program Files\\Common Files\\{644F1B91-05FD-1033-0423-020121020001}\\Update.exe\" mc-110-12-0000107"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"uffw"="C:\\PROGRA~1\\COMMON~1\\uffw\\uffwm.exe"
"CAS2"="\"C:\\Program Files\\System Files\\System.exe\""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]
"{644F1B91-05FD-1033-0423-020121020001}"="\"C:\\Program Files\\Common Files\\{644F1B91-05FD-1033-0423-020121020001}\\Update.exe\" mc-110-12-0000107"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{81559C35-8464-49F7-BB0E-07A383BEF910}"="SpywareGuard"



Contents of the 'Scheduled Tasks' folder

Completion time: Sat 07/22/2006 20:10:36.96
ComboFix ver 06.07.22 - This logfile is located at C:\ComboFix.txt

ComboFix.txt
ComboFix2.txt

... ok ... overall, much better ... waiting to hear back ... thanks ... ccinmfd
ccinmfd
Regular Member
 
Posts: 77
Joined: February 4th, 2006, 11:35 am
Location: Milford, CT

.. one more note ...

Unread postby ccinmfd » July 22nd, 2006, 9:06 pm

... the poker sites are unwanted ... my son plays but he is not supposed to be ... ccinmfd
ccinmfd
Regular Member
 
Posts: 77
Joined: February 4th, 2006, 11:35 am
Location: Milford, CT

Unread postby random/random » July 23rd, 2006, 6:06 am

Looking much better :D

We'll deal with the poker sites after I receive the uninstall list

Reveal Hidden Files
  1. Click Start.
  2. Open My Computer.
  3. SelectTools menu
  4. Click Folder Options.
  5. Select the View Tab.
  6. Select Show hidden files and foldersin the Hidden files and folders section.
  7. Uncheck Hide protected operating system files (recommended) option.
  8. Uncheck the Hide file extensions for known file types option.
  9. Click Yes.
  10. Click OK.

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.media-motor.net/cabs/joysavsht.cab
O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - (no file)

Then close all windows except Hijackthis and click Fix Checked

Restart

Use windows explorer to find and delete this file:

C:\WINDOWS\v1201.exe

To assist diagnosis I would like a list of installed programs.
  • Open HijackThis and select Open the Misc Tools section
  • Click on the Open Uninstall Manager…
  • Select the Save List button
  • I suggest that you accept the default name of uninstall_list.txt and save the file to your desktop
  • Close HijackThis


Upload this file to http://www.virustotal.com/en/indexx.html and post the results back here

C:\WINDOWS\rundll.exe

Post back with the uninstall list, the virustotal results and a new HijackThis log
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

... posting results ...

Unread postby ccinmfd » July 23rd, 2006, 10:37 am

Here is the VirusTotal scan results:

Antivirus Version Update Result
AntiVir 6.35.0.24 07.22.2006 no virus found
Authentium 4.93.8 07.21.2006 no virus found
Avast 4.7.844.0 07.21.2006 no virus found
AVG 386 07.21.2006 no virus found
BitDefender 7.2 07.22.2006 no virus found
CAT-QuickHeal 8.00 07.22.2006 no virus found
ClamAV devel-20060426 07.21.2006 no virus found
DrWeb 4.33 07.23.2006 no virus found
eTrust-InoculateIT 23.72.76 07.23.2006 no virus found
eTrust-Vet 12.6.2305 07.21.2006 no virus found
Ewido 4.0 07.23.2006 Backdoor.IRCBot.to
Fortinet 2.77.0.0 07.22.2006 PossibleThreat!07267
F-Prot 3.16f 07.21.2006 no virus found
F-Prot4 4.2.1.29 07.21.2006 no virus found
Ikarus 0.2.65.0 07.23.2006 no virus found
Kaspersky 4.0.2.24 07.23.2006 Backdoor.Win32.IRCBot.to
McAfee 4812 07.21.2006 no virus found
Microsoft 1.1508 07.23.2006 no virus found
NOD32v2 1.1674 07.22.2006 no virus found
Norman 5.90.23 07.21.2006 no virus found
Panda 9.0.0.4 07.23.2006 no virus found
Sophos 4.07.0 07.23.2006 no virus found
Symantec 8.0 07.23.2006 IRC Trojan
TheHacker 5.9.8.179 07.21.2006 no virus found
UNA 1.83 07.21.2006 no virus found
VBA32 3.11.0 07.22.2006 no virus found
VirusBuster 4.3.7:9 07.22.2006 no virus found

Aditional Information
File size: 1200640 bytes
MD5: b9bbeaf63c8a0b2db9a62ee5c4bae6ae
SHA1: 6351518903eb96c0e95f327cfa6cb0f647d64ff8
packers: Themida

Here is the latest HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:30:24 AM, on 7/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\rundll.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\carrollc\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\Poker.exe (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EEFBC7FB-20CD-4ABB-A1A4-B64B40758E90}: Domain = boysvillage.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{EEFBC7FB-20CD-4ABB-A1A4-B64B40758E90}: NameServer = 10.129.1.6
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = boysvillage.org
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = boysvillage.org
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: rundll.exe - Unknown owner - C:\WINDOWS\rundll.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

Here is the Uninstall list:

Active Disk
Ad-Aware SE Personal
Adobe Acrobat 4.0
Adobe Flash Player 9 ActiveX
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Connectivity Services
AOL Deskbar
AOL Spyware Protection
AOL Toolbar
AOL Uninstaller
Avance AC'97 Audio
CCHelp
CCScore
Cisco Systems VPN Client 4.0.3 (F)
Command
EPSON Perf 2480 - 2580 Guide
EPSON Scan
EPSON Smart Panel
Fatpickle Toolbar
Get Yahoo! Messenger
HijackThis 1.99.1
hp deskjet 9300 series
IomegaWare 4.0.2
iPod for Windows 2005-10-12
iPod Updater 2004-11-15
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 2
Kodak EasyShare software
LiveUpdate 1.6 (Symantec Corporation)
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Age of Empires Gold
Microsoft Office Professional Edition 2003
Mozilla Firefox (1.5)
Nero PhotoShow Elite
Nero Suite
Network Monitor
Norton AntiVirus Corporate Edition
Panda ActiveScan
PhotoImpression 5
Presto! BizCard 4.0 Component for Windows CE
Presto! BizCard 4.1 Eng
Project64 1.6
QuarkXPress 4.0
QuickTime
RealPlayer
Registrar Registry Manager 4.03
Registrar Registry Manager 4.03 (Lite Edition)
Roll
ScanToWeb
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
SFR
SFR2
SpywareGuard v2.2
Triple Play 2001
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
WillMaker 6
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinZip
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
Yahoo! Toolbar

Some notes on last instructions:

1. I only found one or the five files to check-mark during the first HiJackThis scan

2. I was not able to find the C:/WINDOWS/v1201.exe file ... is there a search trick I can use to find it? I just went into C and WINDOWS and scrolled to the "V"s but didn't find it ... (also, how do you type the reverse backslash you find in file names?)

thanks ... ccinmfd
ccinmfd
Regular Member
 
Posts: 77
Joined: February 4th, 2006, 11:35 am
Location: Milford, CT

Unread postby random/random » July 23rd, 2006, 4:28 pm

Usually I copy and paste file names but there should be a backslash button next to the left hand shift button

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)


O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\Poker.exe (HKCU)
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: rundll.exe - Unknown owner - C:\WINDOWS\rundll.exe

Then close all windows except Hijackthis and click Fix Checked

Restart

Use windows explorer to find and delete this file:

C:\WINDOWS\rundll.exe

And these folders:

C:\Program Files\Poker.com\
C:\Program Files\PartyGaming\

Please download and install ewido anti-spyware tool
  • Close all other Applications Select language click Ok
  • Click I Agree
  • Click next
  • Click Install
  • Click Finish
  • Wait Ewido will open main screen automatically.
  • Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen.
  • This is very important to get updates
  • When updating has finished. Close Ewido.
If you have an
always on
connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.
  • Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear use arrow up to highlight
  • Select the first option, to run Windows in Safe Mode hit enter.
  • For additional help in booting into Safe Mode, see the following site: HERE

    You MUST manage to get into Safe Mode for the fix to work.
Make sure to close all open windows/programs/folders. Have nothing else open while ewido performs its scan!
  • Open Ewido
  • Click on scanner top of Ewido sceen
  • Click on Settings
  • Under How to Act click on Recommended Action choose Quarantine
  • Under How to scan all boxes should be selected
  • Under Possibly unwanted software all boxes should be selected
  • On right side under Reports: click on Automatically generate report after every scan.
  • Under What to scan select scan every file
  • Click On scan Tab
  • Click on Complete system scan
  • Let the program scan the machine It can take awhile give it time.
  • When scan has finished At bottom of screen click Apply all Actions
  • Click Save report
  • Click Save Report as (Save as window's screen should pop up.)
  • Click desktop
  • Click Save
  • Exit ewido

Reboot back to normal mode

1. Double click combofix.exe & follow the prompts.
2. When finished, it shall produce a log for you. Post that log in your next reply

Post back with the Ewido log, the combofix log and a new HijackThis log
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

posting logs ...

Unread postby ccinmfd » July 24th, 2006, 9:26 pm

...

Ewido log:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:20:58 PM 7/24/2006

+ Scan result:



C:\Program Files\Common Files\Symantec Shared\VirusDefs\20060719.024\0002NAV~.TMP -> Adware.AdURL : Cleaned with backup (quarantined).
C:\WINDOWS\icont.exe -> Adware.AdURL : Cleaned with backup (quarantined).
C:\stub_sca3.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20060719.024\0000NAV~.TMP -> Adware.CommAd : Cleaned with backup (quarantined).
C:\Installer3.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\IYDSM_S.DLL -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dn0401dqe.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dn8s01l7e.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dnl8013ue.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\edent.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\g6jolg1316.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\gp20l3fm1.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\gpnql3551.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\hr4o05h3e.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\i060lajm1doa.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ihaksie.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\lv0q09d5e.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\m446lehs1h46.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mdpmsp.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mv84l9lq1.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mvnul9591.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mvrql9951.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\n66q0gj5e6o.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\nntshell.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\o448lehu1h48.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\p04u0ah9ed4.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\psrfctrs.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\u2ru0c99ef.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wwbhits.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\win0.exe -> Backdoor.IRCBot.to : Cleaned with backup (quarantined).
C:\dist13.exe -> Downloader.Agent.aaf : Cleaned with backup (quarantined).
C:\wd7gi8nnew.exe -> Downloader.Agent.ala : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Desktop\Programs Folder\backups\backup-20060526-215058-449.dll -> Downloader.Zlob.qw : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Desktop\Programs Folder\backups\backup-20060526-215138-625.dll -> Downloader.Zlob.qw : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Desktop\Programs Folder\backups\backup-20060526-215205-589.dll -> Downloader.Zlob.qw : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Desktop\Programs Folder\backups\backup-20060526-231227-630.dll -> Downloader.Zlob.qw : Cleaned with backup (quarantined).
C:\626_101newer.exe -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20060719.024\0001NAV~.TMP -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\SS1001newer.exe -> Dropper.Small.qn : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Local Settings\Temporary Internet Files\Content.IE5\C16ZC1IB\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
:mozilla.130:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.19:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.20:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@pch.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
:mozilla.148:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.149:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.150:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.151:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@www.adtrak[2].txt -> TrackingCookie.Adtrak : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.21:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@bfast[2].txt -> TrackingCookie.Bfast : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
:mozilla.207:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
:mozilla.106:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.109:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@casinopays[1].txt -> TrackingCookie.Casinopays : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@crbanner.casinopays[2].txt -> TrackingCookie.Casinopays : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@clickbank[1].txt -> TrackingCookie.Clickbank : Cleaned with backup (quarantined).
:mozilla.59:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
:mozilla.62:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
:mozilla.63:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
:mozilla.64:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
:mozilla.15:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.180:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Enhance : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.183:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.184:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.185:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.47:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.48:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.49:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.70:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Findwhat : Cleaned with backup (quarantined).
:mozilla.75:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup (quarantined).
:mozilla.76:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup (quarantined).
:mozilla.134:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.36:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.37:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@ehg-411web.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@ehg-inforspaceinc.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@ehg-maniatv.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.66:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup (quarantined).
:mozilla.67:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup (quarantined).
:mozilla.68:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup (quarantined).
:mozilla.69:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@counter.hitslink[2].txt -> TrackingCookie.Hitslink : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@linksynergy[1].txt -> TrackingCookie.Linksynergy : Cleaned with backup (quarantined).
:mozilla.176:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.177:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.178:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.60:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@data2.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@creative.paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@qksrv[1].txt -> TrackingCookie.Qksrv : Cleaned with backup (quarantined).
:mozilla.38:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.39:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.40:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup (quarantined).
:mozilla.61:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
:mozilla.205:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.206:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@banners.searchingbooth[2].txt -> TrackingCookie.Searchingbooth : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup (quarantined).
:mozilla.199:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.200:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.201:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.202:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.162:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.163:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.164:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.165:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@h.starware[2].txt -> TrackingCookie.Starware : Cleaned with backup (quarantined).
:mozilla.72:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.73:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.108:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.138:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.14:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.16:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.17:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.18:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@anat.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@targetnet[1].txt -> TrackingCookie.Targetnet : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined).
:mozilla.139:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.140:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.141:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.142:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.143:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.144:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.145:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.146:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.147:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.107:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.112:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@reduxads.valuead[1].txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined).
:mozilla.170:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
:mozilla.171:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
:mozilla.167:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
:mozilla.168:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
:mozilla.41:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.42:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.43:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.44:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.45:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.46:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.85:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.86:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.89:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@c5.zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\Documents and Settings\carrollc\Cookies\carrollc@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\WINDOWS\system32\redist.dll -> Trojan.Agent.sx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\redistributor.exe -> Trojan.Agent.sx : Cleaned with backup (quarantined).
C:\WINDOWS\wnu_114.exe -> Trojan.Qoologic : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{644F1B91-05FD-1033-0423-020121020001}\Update.exe -> Trojan.Starter.65 : Cleaned with backup (quarantined).


::Report end



Combo Fix log:

Start Time= Mon 07/24/2006 21:14:03.18
Running from: C:\Documents and Settings\carrollc\Desktop

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))



2006-07-24 21:11 1,253 C:\WINDOWS\win.ini
2006-07-24 15:16 <DIR> C:\Program Files\mozilla firefox
2006-07-24 11:31 <DIR> C:\Program Files\ewido anti-spyware 4.0
2006-07-24 11:19 <DIR> C:\Program Files\ewido anti-malware
2006-07-22 21:31 <DIR> C:\Program Files\windows media player
2006-07-22 20:31 <DIR> C:\Program Files\common files
2006-07-21 20:28 <DIR> C:\Documents and Settings\carrollc\Application Data\talkback
2006-07-21 01:31 366,592 C:\WINDOWS\system32\bk.exe.ren
2006-07-21 00:18 <DIR> C:\Program Files\msn
2006-07-20 23:01 <DIR> C:\Program Files\Common Files\uffw
2006-07-20 22:02 1,111,040 C:\WINDOWS\univer.exe
2006-07-20 19:58 <DIR> C:\Program Files\tclock
2006-07-20 18:41 <DIR> C:\Program Files\Common Files\{644f1b91-05fd-1033-0423-020121020001}
2006-07-20 18:09 242,230 C:\siteerror.exe
2006-07-20 18:08 8,464 C:\WINDOWS\system32\sporder.dll
2006-07-17 10:55 <DIR> C:\Documents and Settings\carrollc\Application Data\microsoft
2006-07-16 12:46 33 C:\WINDOWS\quark.ini
2006-07-15 03:08 458,046 C:\WINDOWS\system32\perfstringbackup.ini
2006-07-12 14:40 116 C:\WINDOWS\nerodigital.ini
2006-07-12 12:08 <DIR> C:\Documents and Settings\carrollc\Application Data\imesh
2006-07-05 18:46 <DIR> C:\Program Files\sports mogul
2006-06-24 15:34 <DIR> C:\Documents and Settings\carrollc\Application Data\active disk
2006-06-24 14:52 <DIR> C:\Program Files\iomega
2006-06-16 20:58 <DIR> C:\Program Files\internet explorer
2006-06-08 09:21 <DIR> C:\Program Files\america online 9.0a
2006-06-07 13:55 3,626 C:\Program Files\Common Files\mejeh.html
2006-06-02 08:20 <DIR> C:\Program Files\symantec
2006-05-29 19:59 <DIR> C:\Documents and Settings\carrollc\Application Data\ahead
2006-05-20 16:46 209,920 C:\WINDOWS\iun3401.exe
2006-05-19 08:59 94,720 C:\WINDOWS\system32\iphlpapi.dll
2006-05-19 08:59 148,480 C:\WINDOWS\system32\dnsapi.dll
2006-05-19 08:59 111,616 C:\WINDOWS\system32\dhcpcsvc.dll
2006-04-27 17:49 288,417 C:\WINDOWS\system32\srchsts.exe


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-21 01:37 366,592 C:\WINDOWS\system32\bk.exe.ren
2006-07-20 22:03 1,111,040 C:\WINDOWS\UNIVER.EXE
2006-07-20 22:01 1,111,040 C:\asd.exe
2006-07-20 18:09 242,230 C:\siteError.exe
2006-07-20 18:08 8,464 C:\WINDOWS\system32\sporder.dll
2006-06-28 16:52 230 C:\Delme.bat
2006-06-24 14:52 86,016 C:\WINDOWS\unvise32.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ADUserMon"="C:\\Program Files\\Iomega\\AutoDisk\\ADUserMon.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"Deskup"="C:\\Program Files\\Iomega\\DriveIcons\\deskup.exe /IMGSTART"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\Ahead\\NEROPH~1\\data\\Xtras\\mssysmgr.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"AOL Fast Start"="\"C:\\Program Files\\America Online 9.0a\\AOL.EXE\" -b"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Common Files\\mejeh.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\MSN\\polokibob.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"uffw"="C:\\PROGRA~1\\COMMON~1\\uffw\\uffwm.exe"
"CAS2"="\"C:\\Program Files\\System Files\\System.exe\""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
"{644F1B91-05FD-1033-0423-020121020001}"="\"C:\\Program Files\\Common Files\\{644F1B91-05FD-1033-0423-020121020001}\\Update.exe\" mc-110-12-0000107"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"uffw"="C:\\PROGRA~1\\COMMON~1\\uffw\\uffwm.exe"
"CAS2"="\"C:\\Program Files\\System Files\\System.exe\""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]
"{644F1B91-05FD-1033-0423-020121020001}"="\"C:\\Program Files\\Common Files\\{644F1B91-05FD-1033-0423-020121020001}\\Update.exe\" mc-110-12-0000107"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{81559C35-8464-49F7-BB0E-07A383BEF910}"="SpywareGuard"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"



Contents of the 'Scheduled Tasks' folder

Completion time: Mon 07/24/2006 21:14:37.53
ComboFix ver 06.07.22 - This logfile is located at C:\ComboFix.txt

ComboFix.txt
ComboFix2.txt
ComboFix3.txt


HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:16:23 PM, on 7/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Documents and Settings\carrollc\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: VPN Client.lnk = ?
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

... if I had to rate my system's performance, it is still sluggish to slow, especially at start-up ... thanks ... ccinmfd
ccinmfd
Regular Member
 
Posts: 77
Joined: February 4th, 2006, 11:35 am
Location: Milford, CT
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 20 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware