Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

DriveCleaner 2006 and SalesMonitor

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby LordRuin » August 28th, 2007, 6:49 pm

I've been getting a weird popup from Comodo. It says something about.
GLB6D.tmp

Description: suspicious behaviour (GLB6D.tmp)

Application: C:\Documents and Settings\Lord Ruin\Local Settings\Temp\nsm6C.html

Parent: C:\Documents and Settings\Lord Ruin\Local Settings\Temp\nsm6C.tmp
\msgup_us.exe

Protocol: UDP Out

Destination: 192.168.1.1::dns(53)

Details: C:\Documents and Settings\Lord Ruin\Local Settings\Temp\GLB6D.tmp is an invisible application.
User avatar
LordRuin
Regular Member
 
Posts: 53
Joined: August 23rd, 2007, 6:22 am
Location: Pennsylvania
Advertisement
Register to Remove

Unread postby tim s » August 28th, 2007, 9:38 pm

Hi LordRuin,
I've been getting a weird popup from Comodo. It says something about.
GLB6D.tmp

Description: suspicious behaviour (GLB6D.tmp)

Application: C:\Documents and Settings\Lord Ruin\Local Settings\Temp\nsm6C.html

Parent: C:\Documents and Settings\Lord Ruin\Local Settings\Temp\nsm6C.tmp
\msgup_us.exe

Protocol: UDP Out

Destination: 192.168.1.1::dns(53)

Details: C:\Documents and Settings\Lord Ruin\Local Settings\Temp\GLB6D.tmp is an invisible application.


Ok will take care of that.

To enable the viewing of Hidden files follow these steps:
  1. Close all programs so that you are at your desktop.
  2. Click Start, then select My Computer)
  3. Select the Tools (at top of opened screen in menu and click Folder Options.
  4. After the new window appears select the View tab.
  5. Put a checkmark in the checkbox labeled Display the contents of system folders.
  6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
  9. Press the Apply button and then the OK button and shutdown My Computer.
    Now your computer is configured to show all hidden files.

-------------------------------------------------------------------------

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

-------------------------------------------------------------------------

Delete Temp files:

Use Explorer to navigate to C:\Windows\Temp Just delete contains(What is inside) of folder not the Temp folder itself.
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\Lord Ruin\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

-------------------------------------------------------------------

Restart computer back to normal mode:

There are still leftovers of norton Please do the following.

Start WinPFind3U.
Copy/Paste the information that is inside of the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
NOTE*(make sure to just highlight and copy what is inside of the quote box nothing outside of it)

[Win32 Services - Non-Microsoft Only]
YY -> (SNDSrvc) Symantec Network Drivers Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Symantec Shared\SNDSrvc.exe
[Registry - Non-Microsoft Only]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {644E432F-49D3-41A1-8DD5-E099162EEEC5} -> Symantec RuFSI Utility Class - CodeBase = http://security.symantec.com/sscv6/Shar ... /cabsa.cab
[Files/Folders - Modified Within 60 days]
NY -> Symantec -> %AllUsersAppData%\Symantec
NY -> Symantec Shared -> %CommonProgramFiles%\Symantec Shared


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished.
Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.
NOTE* If for some reason Notepad does not open with log of actions taken. The log will be in the Winpfind3u folder and will have a name like this:
( mmddyyyy_hhmmss.log)

Just copy and paste that log in your next reply.

---------------------------------------------------------------

Please do an online scan with Kaspersky Online Scanner

Notice!
A new version of Kaspersky Virus Scanner has been released on August 8, 2006. If you have installed a previous version, you must unistall that program first before installing the new version. To uninstall, please go to the computer control panel and select "Add/Remove Programs." Close all Internet Explorer windows before uninstalling the Kaspersky Online Scanner.
Note* You must use Internet Explorer for the scan not Firefox if you have it.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save Report As button:
    • Save the file to your desktop.
    • File Type: Text file (*.txt).
    • Name: Kav.txt for example
  • Copy and paste that information in your next post.
==========================

I will need to check logs Please post in next reply:
Winpfind3u log >>>> Winpfind3u folder and will have a name like this:( mmddyyyy_hhmmss.log)
Kaspersky scan report
A NEW HJT log.
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby LordRuin » August 28th, 2007, 10:46 pm

Alright I did what you said. But I didnt click empty trash. I signed back into normal mode.. :cry: So.. I signed back into safe mode and I went back to the 2 folders you told me to. and repeated what you said. Then I emptied the trash. I signed back on in normal mode and I got...

http://a998.ac-images.myspacecdn.com/im ... e14aed.jpg

anyways. I copied and pasted that into the WinPFind3u and clicked fix.
Here is the log.

[Win32 Services - Non-Microsoft Only]
Service SNDSrvc stopped successfully.
Service SNDSrvc deleted successfully.
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe moved successfully.
[Registry - Non-Microsoft Only]
Starting removal of ActiveX control {644E432F-49D3-41A1-8DD5-E099162EEEC5}
C:\WINDOWS\Downloaded Program Files\rufsi.dll moved successfully.
C:\WINDOWS\Downloaded Program Files\CabSA.inf moved successfully.
C:\WINDOWS\Downloaded Program Files\rufsi.dll not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{644E432F-49D3-41A1-8DD5-E099162EEEC5} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{644E432F-49D3-41A1-8DD5-E099162EEEC5} deleted successfully.
Removal of ActiveX control {644E432F-49D3-41A1-8DD5-E099162EEEC5} complete!
[Files/Folders - Modified Within 60 days]
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads moved successfully.
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate moved successfully.
C:\Documents and Settings\All Users\Application Data\Symantec\LiveSubscribe moved successfully.
C:\Documents and Settings\All Users\Application Data\Symantec moved successfully.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\Savrt moved successfully.
C:\Program Files\Common Files\Symantec Shared\VirusDefs moved successfully.
C:\Program Files\Common Files\Symantec Shared\SPManifests moved successfully.
C:\Program Files\Common Files\Symantec Shared\IDS moved successfully.
C:\Program Files\Common Files\Symantec Shared moved successfully.
< End of log >
Created on 08/29/2007 00:41:53
User avatar
LordRuin
Regular Member
 
Posts: 53
Joined: August 23rd, 2007, 6:22 am
Location: Pennsylvania

Unread postby tim s » August 28th, 2007, 10:49 pm

Please run HiJackThis and post a new log for me to check.

I will need the online scanner report when you have time.
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby LordRuin » August 28th, 2007, 10:51 pm

Logfile of HijackThis v1.99.1
Scan saved at 12:50:54 AM, on 8/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {474AD63A-9B7E-40FE-8E4E-7067CC0F8D3D} (IB_OnAir.IBOnAir) - http://ionair.sbs.co.kr/onair/IB_OnAir.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/KO-KR/a-U ... E_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} (MagicLockOCX Control) - http://www.diodeo.com/ActiveDiodeoPlayer.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://runvirusscan.com/ols3/fscax.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {F4A1D5E2-AF49-47A7-A945-23038106F3A4} (Pandora_SetUp Control) - http://imgcdn.pandora.tv/pan_img/launch ... etUpAX.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b56986.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
User avatar
LordRuin
Regular Member
 
Posts: 53
Joined: August 23rd, 2007, 6:22 am
Location: Pennsylvania

Unread postby tim s » August 28th, 2007, 10:55 pm

Thats good now I will need to see the Kaspersky Online Scan report when you have time to run and post log.
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby LordRuin » August 30th, 2007, 12:46 am

tim s wrote:Thats good now I will need to see the Kaspersky Online Scan report when you have time to run and post log.


I'm doing it right now. But Avira kept poping up saying something about "purityscan" lol. A new virus/malware I presume. lol
User avatar
LordRuin
Regular Member
 
Posts: 53
Joined: August 23rd, 2007, 6:22 am
Location: Pennsylvania

Unread postby LordRuin » August 30th, 2007, 1:28 am

I accidently saved it as .html.. :( If you want I will scan again and save as text format.


KASPERSKY ONLINE SCANNER REPORT
Thursday, August 30, 2007 2:22:08 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 30/08/2007
Kaspersky Anti-Virus database records: 398276


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics
Total number of scanned objects 139506
Number of viruses found 6
Number of infected objects 34
Number of suspicious objects 2
Duration of the scan process 02:27:57

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46931d74\AV000005c0$0000008e.AV$ Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46931d74\AV000005c4$0000008a.AV$ Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46931d74\AV000005c8$0000008c.AV$ Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46979f87\AV000001c4$00000011.AV$ Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46979f87\AV000001d4$00000013.AV$ Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_469b034a\AV00000620$00000006.AV$ Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46a446ec\AV0000054c$00000007.AV$ Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46a446ec\AV00000568$0000000a.AV$ Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46a446ec\AV0000056c$0000000c.AV$ Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku.zip/Yazzle1549OinUninstaller.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Lord Ruin\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Lord Ruin\Desktop\WinPFind3u\MovedFiles\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped

C:\Documents and Settings\Lord Ruin\Local Settings\Application Data\Microsoft\Messenger\sephiroth171@hotmail.com\SharingMetadata\Logs\Dfsr.log Object is locked skipped

C:\Documents and Settings\Lord Ruin\Local Settings\Application Data\Microsoft\Messenger\sephiroth171@hotmail.com\SharingMetadata\pending.dat Object is locked skipped

C:\Documents and Settings\Lord Ruin\Local Settings\Application Data\Microsoft\Messenger\sephiroth171@hotmail.com\SharingMetadata\Working\database_2630_7710_E000_E1C3\dfsr.db Object is locked skipped

C:\Documents and Settings\Lord Ruin\Local Settings\Application Data\Microsoft\Messenger\sephiroth171@hotmail.com\SharingMetadata\Working\database_2630_7710_E000_E1C3\fsr.log Object is locked skipped

C:\Documents and Settings\Lord Ruin\Local Settings\Application Data\Microsoft\Messenger\sephiroth171@hotmail.com\SharingMetadata\Working\database_2630_7710_E000_E1C3\fsrtmp.log Object is locked skipped

C:\Documents and Settings\Lord Ruin\Local Settings\Application Data\Microsoft\Messenger\sephiroth171@hotmail.com\SharingMetadata\Working\database_2630_7710_E000_E1C3\tmp.edb Object is locked skipped

C:\Documents and Settings\Lord Ruin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Lord Ruin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Lord Ruin\Local Settings\Application Data\Microsoft\Windows Live Contacts\sephiroth171@hotmail.com\real\members.stg Object is locked skipped

C:\Documents and Settings\Lord Ruin\Local Settings\Application Data\Microsoft\Windows Live Contacts\sephiroth171@hotmail.com\shadow\members.stg Object is locked skipped

C:\Documents and Settings\Lord Ruin\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Lord Ruin\Local Settings\History\History.IE5\MSHist012007083020070831\index.dat Object is locked skipped

C:\Documents and Settings\Lord Ruin\Local Settings\Temp\Perflib_Perfdata_ed4.dat Object is locked skipped

C:\Documents and Settings\Lord Ruin\Local Settings\Temp\~DF5A19.tmp Object is locked skipped

C:\Documents and Settings\Lord Ruin\Local Settings\Temp\~DF5C8C.tmp Object is locked skipped

C:\Documents and Settings\Lord Ruin\Local Settings\Temp\~DF61FA.tmp Object is locked skipped

C:\Documents and Settings\Lord Ruin\Local Settings\Temp\~DF7828.tmp Object is locked skipped

C:\Documents and Settings\Lord Ruin\Local Settings\Temp\~DFAE19.tmp Object is locked skipped

C:\Documents and Settings\Lord Ruin\Local Settings\Temp\~DFAFF9.tmp Object is locked skipped

C:\Documents and Settings\Lord Ruin\Local Settings\Temp\~DFD4A.tmp Object is locked skipped

C:\Documents and Settings\Lord Ruin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Lord Ruin\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Lord Ruin\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\New Account\Local Settings\Temp\hsperfdata_New Account\540 Object is locked skipped

C:\Documents and Settings\New Account\Local Settings\Temp\WinAntiSpyware2007Setup.exe/file05/file2 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped

C:\Documents and Settings\New Account\Local Settings\Temp\WinAntiSpyware2007Setup.exe/file05 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped

C:\Documents and Settings\New Account\Local Settings\Temp\WinAntiSpyware2007Setup.exe/file26 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped

C:\Documents and Settings\New Account\Local Settings\Temp\WinAntiSpyware2007Setup.exe/file39 Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped

C:\Documents and Settings\New Account\Local Settings\Temp\WinAntiSpyware2007Setup.exe Inno: infected - 4 skipped

C:\Program Files\poolsv\WinAntiSpyware2007FreeInstall.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped

C:\Program Files\Save\ACM.dll Infected: not-a-virus:AdTool.Win32.WhenU.i skipped

C:\Program Files\Save\Save.exe Infected: not-a-virus:AdTool.Win32.WhenU.i skipped

C:\Program Files\Save\SaveNowupdate.exe/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bc skipped

C:\Program Files\Save\SaveNowupdate.exe/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bc skipped

C:\Program Files\Save\SaveNowupdate.exe/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.bc skipped

C:\Program Files\Save\SaveNowupdate.exe Embedded CAB: infected - 3 skipped

C:\Program Files\Save\Saveupdate.exe/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bc skipped

C:\Program Files\Save\Saveupdate.exe/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bc skipped

C:\Program Files\Save\Saveupdate.exe/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.bc skipped

C:\Program Files\Save\Saveupdate.exe Embedded CAB: infected - 3 skipped

C:\Program Files\Veoh Networks\Veoh\client.log Object is locked skipped

C:\Program Files\Veoh Networks\Veoh\upload.log Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\billing_Lord Ruin.log Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\client_Lord Ruin.log Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\network_Lord Ruin.log Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP313\A0095243.exe Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped

C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP334\A0103913.exe Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped

C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP343\A0109727.exe/file05/file2 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped

C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP343\A0109727.exe/file05 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped

C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP343\A0109727.exe/file26 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped

C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP343\A0109727.exe/file39 Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped

C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP343\A0109727.exe Inno: infected - 4 skipped

C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP343\A0109728.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped

C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP343\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{7746B95D-6D71-49E3-99E6-ECD978C291D8}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
User avatar
LordRuin
Regular Member
 
Posts: 53
Joined: August 23rd, 2007, 6:22 am
Location: Pennsylvania

Unread postby tim s » August 30th, 2007, 8:29 pm

Hi LordRuin,

There is more cleaning to be done.

P2P Warning!
Please note that as long as you're using any form of Peer-to-Peer networking like BitTorrent and downloading files from non-documented sources, you can expect infestations of malware to occur.
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation.

You can also catch a list of tested P2P programs here: http://p2p.malwareremoval.com/

Please do not download anything until we get your computer clean.
===================================================

These are the files from your KASPERSKY scan that look like they have been quarantined by AntiVir PersonalEdition Classic
C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46931d74\AV000005c0$0000008e.AV$ Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46931d74\AV000005c4$0000008a.AV$ Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46931d74\AV000005c8$0000008c.AV$ Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46979f87\AV000001c4$00000011.AV$ Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46979f87\AV000001d4$00000013.AV$ Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_469b034a\AV00000620$00000006.AV$ Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46a446ec\AV0000054c$00000007.AV$ Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46a446ec\AV00000568$0000000a.AV$ Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46a446ec\AV0000056c$0000000c.AV$ Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped



Cleanout AntiVir quarantined files
  • Open AntiVir PersonalEdition Classic control panel
  • click on the quarantine tab
  • Now delete(cleanout) anything that shows that has been quarantined.
  • close program done.
Let me know if these files are not there in quarantine?

-------------------------------------------------------------------------

This is next:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku.zip/Yazzle1549OinUninstaller.exe Suspicious: Password-protected-EXE skipped

  • Open Spybot Search & Destroy
  • Click on the Recovery button on the left column.
  • Choose from list this one YazzleSudoku.zip Then click the purge button.
  • close program done.

Restart computer now.
------------------------------------------------------------

This is next

Download SmitfraudFix (by S!Ri) make sure to click the Save button not Run button and save to your Desktop.

http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a 'RiskTool'; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between 'good' and 'malicious' use of such programs, therefore they may alert the user.

----------------------------------------------------------------

I will need to check log be anymore cleaning.
Please post these logs.
SmitfraudFix >> rapport.txt
Run a new HiJackthis log and post.
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby LordRuin » August 31st, 2007, 2:20 am

"C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46931d74\AV000005c0$0000008e.AV$ Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46931d74\AV000005c4$0000008a.AV$ Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46931d74\AV000005c8$0000008c.AV$ Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46979f87\AV000001c4$00000011.AV$ Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46979f87\AV000001d4$00000013.AV$ Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_469b034a\AV00000620$00000006.AV$ Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46a446ec\AV0000054c$00000007.AV$ Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46a446ec\AV00000568$0000000a.AV$ Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46a446ec\AV0000056c$0000000c.AV$ Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped "

They were not in Quarantine. However a HEUR/Malware, and "Contained Suspiticous Code" were in Quarantine. I deleted them from Quarantine.

Here is the long from the scan.

SmitFraudFix v2.218

Scan done at 3:16:12.98, Fri 08/31/2007
Run from C:\Documents and Settings\Lord Ruin\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Lord Ruin


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Lord Ruin\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\LORDRU~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{23C5DE8D-CFBC-4737-8909-5321E37CF182}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{23C5DE8D-CFBC-4737-8909-5321E37CF182}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{23C5DE8D-CFBC-4737-8909-5321E37CF182}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
User avatar
LordRuin
Regular Member
 
Posts: 53
Joined: August 23rd, 2007, 6:22 am
Location: Pennsylvania

Unread postby tim s » August 31st, 2007, 11:35 am

Hi LordRuin,


The SmitfraudFix log is clear please delete
This tool I had you download is of no longer any use as it update so frequently that fresh copy has to be downloaded when needed.

Delete these:
SmitFraudFix.exe and SmitFraudFix Folder

Your computer should already be set to show hidden files and folders. It will need to be so for next part:

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

------------------------------------------------

Use Explorer to navigate to and delete the following folders (if they are present) just what is in red:
Folders:

  • C:\Program Files\Save
  • C:\Program Files\poolsv

Next:
Here you will need to clean out this Temp Folder just what is inside of it, which is located in this New Account folder


C:\Documents and Settings\New Account\Local Settings\Temp <<< Just delete the contains of folder not folder itself.
Restart computer back to normal mode here.

If you need help finding these folders let me know.


--------------------------------------------------------------------

Now we need to check for anything that I have missed.

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

AVG Anti-Spyware:

Download the trial version of AVG Anti-Spyware from here and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open. Do not run a scan yet.

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:
  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
  • It is essential that you get the update - keep trying until successful. (Note: If you have problems getting the update, you can download an installer for the full database from here (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on avgas-signatures-full-current.exe to install the database).
Please set up the program as follows:
  • Click the Shield icon at the top and under Resident shield is... click active. This should now change to inactive.
  • Click the Update icon and untick the automatic update option.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act? - make sure that Quarantine is selected.
    • Under How to scan? - All checkboxes should be ticked.
    • Under Possibly unwanted software - All checkboxes should be ticked.
    • Under Reports - Select Do not automatically generate reports. NOTE* If this is not selected you will not be able to click Save Scan Report button when instructed to do so.
    • Under What to scan? - Select Scan every file.
Close AVG Anti-Spyware without running yet.
Now disable (turn off AVG Anti-Spyware)
  • Right-click the AVG Anti-Spyware Tray Icon (Bottom right corner of computer screen near clock) and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon again and select Exit. Confirm by clicking Yes.

______________________________

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________


Open AVG Anti-Spyware program.
  • Click on Scanner on the toolbar.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
    • Make sure that Set all elements to: shows Quarantine
    • Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
    • When the program has finished, it will display the message All actions have been applied.
    • Then click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Tray Icon and select Exit.
Restart computer back into normal mode.

-----------------------------------------------------------

I will need to check both of these logs.
Post these in next reply:

AVG Anti-Spyware report
New HJT log
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby tim s » September 2nd, 2007, 8:24 pm

Hi LordRuin,

Let me know if you are having any problems with last set of instructions?
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby LordRuin » September 2nd, 2007, 9:04 pm

:) I think I'm ok. But should I shut down all other programs before running Hijack this? Here is the one report.
I though that "Not-A-Virus.Downloader.Win32.WinFixer.o" was kinda amusing..

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:50:24 PM 9/2/2007

+ Scan result:



C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP346\A0110067.exe/Save.exe -> Adware.WhenUSave : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP346\A0110068.exe/Save.exe -> Adware.WhenUSave : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP346\A0110064.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46931d74\AV000005c0$0000008e.AV$ -> Not-A-Virus.Downloader.Win32.WinFixer.x : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46931d74\AV000005c4$0000008a.AV$ -> Not-A-Virus.Downloader.Win32.WinFixer.x : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46931d74\AV000005c8$0000008c.AV$ -> Not-A-Virus.Downloader.Win32.WinFixer.x : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46979f87\AV000001c4$00000011.AV$ -> Not-A-Virus.Downloader.Win32.WinFixer.x : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46979f87\AV000001d4$00000013.AV$ -> Not-A-Virus.Downloader.Win32.WinFixer.x : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_469b034a\AV00000620$00000006.AV$ -> Not-A-Virus.Downloader.Win32.WinFixer.x : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46a446ec\AV0000054c$00000007.AV$ -> Not-A-Virus.Downloader.Win32.WinFixer.x : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46a446ec\AV00000568$0000000a.AV$ -> Not-A-Virus.Downloader.Win32.WinFixer.x : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_46a446ec\AV0000056c$0000000c.AV$ -> Not-A-Virus.Downloader.Win32.WinFixer.x : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP313\A0095243.exe -> Not-A-Virus.Downloader.Win32.WinFixer.x : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP334\A0103913.exe -> Not-A-Virus.Downloader.Win32.WinFixer.x : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Cookies\guest@247realmedia[2].txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@cartoonnetwork.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@gateway.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@hollywoodentertainment.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@livenation.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@metacafe.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@omahasteaks.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@paypal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@pch.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@snagajob.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@snapfish.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@wpni.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Lord Ruin\Cookies\lord ruin@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@anheuserbusch.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@care2.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@educationmanagementllc.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@hearstmagazines.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@heliumexchange.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@highbeam.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@livenation.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@meetupcom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@metacafe.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@microsoftwlsearchcrm.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@msnaccountservices.112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@newmotioninc.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@paypal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@realnetworks.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@viacomedycentralrl.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@warnerbrothersrecords.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@arn.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Lord Ruin\Cookies\lord ruin@4.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Lord Ruin\Cookies\lord ruin@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Lord Ruin\Cookies\lord ruin@ads.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@3.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@4.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@admarketplace[1].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@adviva[2].txt -> TrackingCookie.Adviva : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@bfast[2].txt -> TrackingCookie.Bfast : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@bluemountain[2].txt -> TrackingCookie.Bluemountain : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ads.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@cc.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@castup[1].txt -> TrackingCookie.Castup : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@clickbank[2].txt -> TrackingCookie.Clickbank : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@cz3.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@cz6.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ads.cnn[2].txt -> TrackingCookie.Cnn : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@ads.guardian.co[2].txt -> TrackingCookie.Co : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Lord Ruin\Cookies\lord ruin@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@news.com[2].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@connextra[1].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@dealtime[1].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@stat.dealtime[2].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@stat.dealtime[1].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@enhance[2].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@e-2dj6wjkyemczehp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@e-2dj6wjmyaic5ekp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@e-2dj6wjnyakajcfq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@e-2dj6wjnysidzwgo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@e-2dj6wjl4sndjmko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Lord Ruin\Cookies\lord ruin@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@fortunecity[1].txt -> TrackingCookie.Fortunecity : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@fortunecity[2].txt -> TrackingCookie.Fortunecity : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ads.gamershell[1].txt -> TrackingCookie.Gamershell : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@www.gamershell[2].txt -> TrackingCookie.Gamershell : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@105-bmp.googleadservices[1].txt -> TrackingCookie.Googleadservices : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ehg-accuweather.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ehg-adaptivemarketing.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ehg-aha.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ehg-atariinc.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ehg-comcast.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ehg-digg.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ehg-findlaw.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ehg-foxmovies.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ehg-gamespot.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ehg-ifilm.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ehg-jupitermedia.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ehg-maniatv.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ehg-newegg.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ehg-pharmacia.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ehg-suite101.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ehg-verizon.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ehg-verizoncommunications.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ehg-viacom.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ehg-wss.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ehg-youtube.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ehg.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@hg1.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@phg.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@counter.hitslink[1].txt -> TrackingCookie.Hitslink : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@counter2.hitslink[1].txt -> TrackingCookie.Hitslink : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@hotlog[2].txt -> TrackingCookie.Hotlog : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@searchportal.information[2].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\Lord Ruin\Cookies\lord ruin@searchportal.information[1].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@searchportal.information[2].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@intelli-direct[1].txt -> TrackingCookie.Intelli-direct : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@linksynergy[2].txt -> TrackingCookie.Linksynergy : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@search.live[1].txt -> TrackingCookie.Live : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@search.live[1].txt -> TrackingCookie.Live : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@auto.search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@ie.search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@search.msn[2].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Lord Ruin\Cookies\lord ruin@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@data1.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@data4.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@data4.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Lord Ruin\Cookies\lord ruin@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@pro-market[2].txt -> TrackingCookie.Pro-market : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@pro-market[2].txt -> TrackingCookie.Pro-market : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Lord Ruin\Cookies\lord ruin@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@guide.real[2].txt -> TrackingCookie.Real : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@real[1].txt -> TrackingCookie.Real : Cleaned.
C:\Documents and Settings\Lord Ruin\Cookies\lord ruin@real[2].txt -> TrackingCookie.Real : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@guide.real[1].txt -> TrackingCookie.Real : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@real[2].txt -> TrackingCookie.Real : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Lord Ruin\Cookies\lord ruin@realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@revsci[1].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Lord Ruin\Cookies\lord ruin@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@www.smartadserver[1].txt -> TrackingCookie.Smartadserver : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Lord Ruin\Cookies\lord ruin@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Lord Ruin\Cookies\lord ruin@specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@spylog[1].txt -> TrackingCookie.Spylog : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@h.starware[1].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@try.starware[1].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@h.starware[2].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@try.starware[2].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@statistik-gallup[1].txt -> TrackingCookie.Statistik-gallup : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@anat.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Lord Ruin\Cookies\lord ruin@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Lord Ruin\Cookies\lord ruin@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Lord Ruin\Cookies\lord ruin@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@fad-601.iad6.targetnet[1].txt -> TrackingCookie.Targetnet : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@targetnet[2].txt -> TrackingCookie.Targetnet : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@login.tracking101[1].txt -> TrackingCookie.Tracking101 : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Lord Ruin\Cookies\lord ruin@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Lord Ruin\Cookies\lord ruin@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@reduxads.valuead[1].txt -> TrackingCookie.Valuead : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@reduxads.valuead[2].txt -> TrackingCookie.Valuead : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@ezzs.valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@yadro[1].txt -> TrackingCookie.Yadro : Cleaned.
C:\Documents and Settings\New Account\Cookies\new account@yadro[1].txt -> TrackingCookie.Yadro : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ad.yieldmanager[3].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@c6.zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Lord Ruin\Desktop\WinPFind3u\MovedFiles\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe -> Trojan.Fakealert.fb : Cleaned with backup (quarantined).


::Report end
User avatar
LordRuin
Regular Member
 
Posts: 53
Joined: August 23rd, 2007, 6:22 am
Location: Pennsylvania

Unread postby tim s » September 2nd, 2007, 9:38 pm

Hi LordRuin,

Thanks for posting log.

I need to check another HiJackThis log. Please run HJT and post another log. We need to make sure it is clear.

Let me know how your computer is running now.
Last edited by tim s on September 2nd, 2007, 10:10 pm, edited 1 time in total.
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby LordRuin » September 2nd, 2007, 10:10 pm

Logfile of HijackThis v1.99.1
Scan saved at 11:09:44 PM, on 9/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {474AD63A-9B7E-40FE-8E4E-7067CC0F8D3D} (IB_OnAir.IBOnAir) - http://ionair.sbs.co.kr/onair/IB_OnAir.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/KO-KR/a-U ... E_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} (MagicLockOCX Control) - http://www.diodeo.com/ActiveDiodeoPlayer.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://runvirusscan.com/ols3/fscax.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {F4A1D5E2-AF49-47A7-A945-23038106F3A4} (Pandora_SetUp Control) - http://imgcdn.pandora.tv/pan_img/launch ... etUpAX.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b56986.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
User avatar
LordRuin
Regular Member
 
Posts: 53
Joined: August 23rd, 2007, 6:22 am
Location: Pennsylvania
Advertisement
Register to Remove

PreviousNext

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 38 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware