Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan Horse - Backdoor.Generic2.AKA

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Trojan Horse - Backdoor.Generic2.AKA

Unread postby wonderwill » December 21st, 2005, 3:39 pm

Just had my daughter's PC cleaned up by Kim and it has become reinfected with the above. Running very slowly. Can anyone help please.

Here is the Hijack

Logfile of HijackThis v1.99.1
Scan saved at 19:38:32, on 21/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\program files\zango\zango.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\utilman.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.HOMESOPHIE\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cindythumbs.com/ to verify your age, REQUIRED! WARNING! Adult pictures are featured in this site. Only adults permitted beyond this point! Are you at least 18 years old
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE PopUp-Killer - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O2 - BHO: Zango Search Assistant Helper - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\program files\zango\zangohook.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
O4 - HKLM\..\Run: [crop] C:\WINDOWS\crop.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 6978078038
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7818920249
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ ... loader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm
Advertisement
Register to Remove

Unread postby Kimberly » December 22nd, 2005, 2:33 pm

Hello wonderwill,

Sad to hear that her PC got infected again. You should really put some additional protection in place and update the PC to the latest Service Pack ...

Make sure that you can see hidden files.
  1. Click Start.
  2. Click My Computer.
  3. Select the Tools menu and click Folder Options.
  4. Select the View Tab.
  5. Under the Hidden files and folders heading select Show hidden files and folders.
  6. Uncheck the Hide protected operating system files (recommended) option.
  7. Click Yes to confirm.
  8. Uncheck the Hide file extensions for known file types.
  9. Click OK.
______________________________

If you already have the latest Ad-Aware SE 1.06 version, skip to Run Ad-Aware. Otherwise download Ad-Aware SE 1.06 from here and install it. Uncheck all the options before leaving the Install Wizard.

Run Ad-Aware and Click on the World Icon. Click the Connect button on the webupdate screen. If an update is available download it and install it. Click the Finish button to go back to the main screen.

Click on the Gear Icon (second from the left at the top of the window) to access the Configuration Window.

Click on the General Button on the left and select in green
  • Under Safety
    • Automatically save log-file
    • Automatically quarantine objects prior to removal
    • Safe Mode (always request confirmation)
  • Under Definitions
    • Prompt to udate outdated definitions - set to 7 days
Click on the Scanning Button of the left and select in green
  • Under Driver, Folders & Files
    • Scan Within Archives
  • Under Select drives & folders to scan
    • choose all hard drives
  • Under Memory & Registry
    • Scan Active Processes
    • Scan Registry
    • Deep Scan Registry
    • Scan my IE favorites for banned URL’s
    • Scan my Hosts file
Click on the Advanced Button on the left and select in green
  • Under Shell Integration
    • Move deleted files to Recycle Bin
  • Under Logfile Detail Level
    • Include addtional object information
    • DESELECT - Include negligible objects information (make it show a red X)
    • Include environment information
  • Under Alternate Data Streams
    • Don't log streams smaller than 0 bytes
    • Don't log ADS with the following names: CA_INOCULATEIT
Click the Tweak Button and select in green
  • Under the Scanning Engine (Click on the + sign to expand)
    • DESELECT Unload recognized processes & modules during scan (make it show a red X)
    • Scan registry for all users instead of current user only
  • Under the Cleaning Engine (Click on the + sign to expand)
    • Always try to unload modules before deletion
    • During Removal, unload Explorer and IE if necessary
    • Let Windows remove files in use at next reboot
  • Under the Log Files (Click on the + sign to expand)
    • Include basic Ad-aware SE settings in logfile
    • Include additional Ad-aware SE settings in logfile
    • Include reference summarry in log file
    • Include alternate data stream details in log file
Click on Proceed to save the settings and close the program.
______________________________

Start Ewido and you will need to update Ewido to the latest definition files.
  • On the left-hand side of the main screen click the Update Button.
  • Click on Start.
The update will start and a progress bar will show the updates being installed.
Once finished updating, close Ewido.

If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates. Make sure to close Ewido before installing the update.
______________________________

Click on Start, Control Panel, click on Add/Remove Programs
Look through the installed programs for the following items and remove them if present:

Zango
Messenger Plus! 3


During the uninstall process, you might be presented with several prompts to guide you through uninstalling the product. Read these carefully to make sure you are actually choosing to uninstall rather than keep the software.
______________________________

Run HijackThis, click on None of the above, just start the program, click on Scan. Put a check in the box on the left side of the following items if still present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cindythumbs.com/ to verify your age, REQUIRED! WARNING! Adult pictures are featured in this site. Only adults permitted beyond this point! Are you at least 18 years old
O2 - BHO: Zango Search Assistant Helper - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\program files\zango\zangohook.dll
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart

Close ALL windows and browsers except HijackThis and click Fix Checked
______________________________

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
______________________________

Using Windows Explorer, Search and Delete these Folders if listed:

C:\Program Files\MessengerPlus! 3
c:\program files\zango

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Procede like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start Ewido Security Suite, and run a full scan.
  • Click on Scanner
  • Click on Settings
    • Under How to scan all boxes should be checked
    • Under Unwanted Software all boxes should be checked
    • Under What to scan select Scan every file
    • Click on Ok
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.
  • Click Save Report button
  • Save the report to your Desktop
Close Ewido.
______________________________

Run Ad-Aware and Click on the Scan Now Button
  • Choose Perform Full System Scan
  • DESELECT Search for negligible risk entries, as negligible risk entries (MRU's) are not considered to be a threat. (make it show a red X)
Click Next to begin the scan. When the scan is completed, the Performing System Scan screen will change name to Scan Complete.

Click the Next Button to get to the Scanning Results Window where more information about the objects detected during the scan is available. Click the Critical Objects Tab. In general all of the items listed will be bad. To fix all the bad critical objects, right click on one of them, click the Select All entry in the pop-up menu to mark all entries. Click Next and then OK in the dialog box to confirm the removal.

Reboot to complete the removal of what Ad-Aware SE found.
______________________________

C:\WINDOWS\crop.exe : Do you know this file ? If not, perform the task below:

Submit the file C:\WINDOWS\crop.exe to Jotti's scanner at:
http://virusscan.jotti.org/
Post the results here in the next reply.

Navigate to C:\WINDOWS folder and right-click on crop.exe. Select Properties from the context menu that pops up, go to the Version tab, and get all the information you can from there (click on the individual Item Names under Other Version information so that you can see the details for each). Post that information here.
______________________________

Please post the Ewido log and a new Hijackthis log and eventually the results from Jotti's scanner.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby wonderwill » December 22nd, 2005, 6:44 pm

Logfile of HijackThis v1.99.1
Scan saved at 22:44:03, on 22/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.HOMESOPHIE\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE PopUp-Killer - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 6978078038
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7818920249
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ ... loader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby wonderwill » December 22nd, 2005, 6:45 pm

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 22:20:52, 22/12/2005
+ Report-Checksum: 5B59361D

+ Scan result:

:mozilla.10:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Adviva : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.125:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.136:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.137:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.141:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.142:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.143:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.144:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.145:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.146:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.147:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.148:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.149:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.150:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.158:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Spylog : Cleaned with backup
:mozilla.163:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.164:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.198:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.213:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.228:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.229:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.231:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.239:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.243:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.244:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.245:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.246:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.247:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.248:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.249:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.250:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.251:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.257:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.258:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.259:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.260:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.261:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.262:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.263:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.272:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.274:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.276:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.288:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.290:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.291:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.125:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.135:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.136:C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\h1m69lkk.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Owner.HOMESOPHIE\Local Settings\Temp\Del81.tmp -> Adware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{92CD6F44-7009-4606-B3BB-FCDDE3FB05EE}\RP6\A0000208.dll -> Backdoor.Haxdoor.fl : Cleaned with backup
C:\System Volume Information\_restore{92CD6F44-7009-4606-B3BB-FCDDE3FB05EE}\RP6\A0000209.dll -> Backdoor.Haxdoor.fl : Cleaned with backup


::Report End
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby wonderwill » December 22nd, 2005, 6:46 pm

kim

Crop.exe did not exist in C:\windows?

WW
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby Kimberly » December 23rd, 2005, 11:14 am

Maybe it has been deleted or it's very well hidden. Well you did remove the corresponding O4 line, that's good. :)

I see something cleaned up by Ewido in your System Restore folder I don't like : Backdoor.Haxdoor.fl

Please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
______________________________

Please Download Rootkit Revealer
http://www.sysinternals.com/utilities/r ... ealer.html

Create a folder for Rootkit Revealer on the C: drive called C:\Rkr. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it Rkr. Extract all the files from the zip archive into that folder.

Open the Rkr folder and double-click the icon for RootkitRevealer.exe to launch the program. Save the log into that folder (File > Save)

If you get a warning, let the driver load...it will be a random named one but if you have spyware protections running the info they give (when warned) will tell you it is from sysinternals.
______________________________

Run HijackThis, click on Open the Misc Tools Section, put a checkmark in List also minor sections and List empty sections. Click on Generate StartupList log, anwser Yes and copy/past the content in your reply.

Please post the RootkitRevealer log, the Kaspersky log and the startup list please.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby wonderwill » December 24th, 2005, 12:32 pm

Kim

Here is the start of the logs you requested. You will note that I have upgraded to XP Professional and Service Pack 2 although this does not seem to have overcome problems. I have a funny feeling my daughter may have been running Messenger Plus despite my telling her not to.

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, December 24, 2005 16:21:02
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 24/12/2005
Kaspersky Anti-Virus database records: 167174
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 29961
Number of viruses found: 11
Number of infected objects: 28
Number of suspicious objects: 0
Duration of the scan process: 2645 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ILCRRGHI\eied_s7[1].chm/eied_s7.htm Infected: Trojan-Downloader.JS.Psyme.bi
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ILCRRGHI\eied_s7[1].chm Infected: Trojan-Downloader.JS.Psyme.bi
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ILCRRGHI\init[1].js Infected: Trojan-Downloader.JS.IstBar.af
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0004/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0004/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.ad
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0004/stream/data0006 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0004/stream/data0007 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0004/stream/data0008 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0004/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\protect[1].htm Infected: Trojan-Downloader.JS.Codebase.c
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\protect[1].php/packed Infected: Trojan-Downloader.JS.Codebase.c
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\protect[1].php Infected: Trojan-Downloader.JS.Codebase.c
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-534e5212-672a1ad8.zip/Mein.class Infected: Trojan.Java.Binny.a
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-534e5212-672a1ad8.zip/Beyond.class Infected: Trojan.Java.Binny.a
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-534e5212-672a1ad8.zip Infected: Trojan.Java.Binny.a
C:\q243041.exe Infected: Trojan-Downloader.Win32.Femad.ae
C:\System Volume Information\_restore{7F22F279-5775-4CB3-8645-03A9170A9D2F}\RP3\A0002256.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\System Volume Information\_restore{7F22F279-5775-4CB3-8645-03A9170A9D2F}\RP3\A0002256.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\System Volume Information\_restore{7F22F279-5775-4CB3-8645-03A9170A9D2F}\RP3\A0002256.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\System Volume Information\_restore{7F22F279-5775-4CB3-8645-03A9170A9D2F}\RP4\A0003384.ini Infected: not-a-virus:AdWare.Win32.Sahat.am
C:\WINDOWS\system32\avpe64.sys Infected: Backdoor.Win32.Haxdoor.fr
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\winupdt.exe Infected: Backdoor.Win32.Haxdoor.fr
C:\WINDOWS\system32\qz.sys Infected: Backdoor.Win32.Haxdoor.fr

Scan process completed.
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby Kimberly » December 24th, 2005, 1:17 pm

Hello wonderwill,

You will note that I have upgraded to XP Professional and Service Pack 2 although this does not seem to have overcome problems.


It will not delete / kill existing problems but it will protect you better in the future once your PC is clean. Messenger did not create this Haxdoor problem, that's more like a drive by download or by visiting a dodgy site. :(

First steps to clean up a part of the temp files and the Java cache infection:

Keep all browsers closed. Click on Start then Control Panel
Double click on the Java plug-in icon (there may be more than one). The Java Control Panel appears.
  1. Click Settings under Temporary Internet Files. The Temporary Files Settings dialog box appears.
  2. Click the Delete Files. The Delete Temporary Files dialog box appears.
    Put a checkmark next to the three options on this window to clear the cache.
    • Downloaded Applets
    • Downloaded Applications
    • Other Files
  3. Click Ok on the Delete Temporary Files window.
  4. Click Ok on Temporary Files Settings window.
If there are other Java plug-in icons... perform the same action on all of them. That should clean out the infected files.
______________________________

Clean out your Temporary Internet files. Procede like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click Apply then OK.
______________________________

Delete the file : C:\q243041.exe

We will take care of the Haxdoor in the next step but I need more info before in addition to the RootkitRevealer log and the startup list.

Download WinPFind.zip to your Desktop or to your usual Download Folder.
http://www.bleepingcomputer.com/files/winpfind.php
Extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.
Open the C:\WinPFind folder and double-click on WinPFind.exe.
Click on Configure Scan Options.
Remove all the checkmarks under Folder Options on the left side by clicking the button Remove All, uncheck Run Addon's and click Apply.
Click on the Start Scan button and wait for it to finish.

Please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log file named C:\WinPFind\WinPFind.txt. Please copy that log into your next reply.
______________________________

Please post :

Rootkit revealer log
Winpfind log
Startup list
A new HijackThis log

Try to limit Internet activity on the PC for the time being.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby wonderwill » December 24th, 2005, 1:19 pm

Hijack this file

Real difficulties sending Rkr as it is 4.2 Mb


Logfile of HijackThis v1.99.1
Scan saved at 16:45:08, on 24/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Rkr\RootkitRevealer.exe
C:\Documents and Settings\Owner.HOMESOPHIE\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE PopUp-Killer - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5357196000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7818920249
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ ... loader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OJDGKR - Sysinternals - http://www.sysinternals.com - C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\OJDGKR.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby Kimberly » December 24th, 2005, 1:23 pm

Hi wonderwill,

I'll send you a PM with an email addy, zip the RR log and send it to me please.

Did you see my last reply ? We did post almost at the same time, so I hope you did notice it. :)

I'll check back later on or tomorrow, as it is almost Xmas eve here and I have still plenty of things to do.

Happy XMas to you and your daughter. :)

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby wonderwill » December 24th, 2005, 1:31 pm

StartupList report, 24/12/2005, 17:29:37
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Owner.HOMESOPHIE\Desktop\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Rkr\RootkitRevealer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.HOMESOPHIE\Desktop\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner.HOMESOPHIE\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup]
NETGEAR WG111T Smart Wizard.lnk = ?

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Zone Labs Client = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
IgfxTray = C:\WINDOWS\system32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\system32\hkcmd.exe
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll - {49E0E0F0-5C30-11D4-945D-000000000003}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky On-line Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/downloads/kws/ ... nicode.cab

[{3334504D-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/ ... p43dmo.CAB

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupda ... 5357196000

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftup ... 7818920249

[Java Plug-in 1.5.0_03]
InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab

[Seekford Solutions, Inc.'s ssiPictureUploader Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\SSIPIC~1.OCX
CODEBASE = http://img.funtigo.com/images/uploader/ ... loader.cab

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn.com/download/MsnMe ... loader.cab

[Java Plug-in 1.5.0_03]
InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\macromed\flash\flash.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/sh ... wflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
SpeedTouch USB ADSL PPP Networking Driver (NDISWAN): System32\DRIVERS\alcan5wn.sys (manual start)
SpeedTouch ADSL Modem ATM Transport: System32\DRIVERS\alcaudsl.sys (manual start)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
NETGEAR WG111T USB2.0 Wireless Card Service: System32\DRIVERS\wg11tnd5.sys (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
NETGEAR WG111T bootloader driver: System32\Drivers\ATHFMWDL.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: system32\DRIVERS\dmio.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNINDIS5 NDIS Protocol Driver: \??\C:\WINDOWS\System32\DNINDIS5.SYS (manual start)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
EpsonBidirectionalService: C:\Program Files\EPSON\ESM2\eEBSVC.exe (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Creative AudioPCI (ES1370), SB PCI 64/128 (WDM): system32\drivers\ES1370MP.sys (manual start)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
ewido security suite control: C:\Program Files\ewido\security suite\ewidoctrl.exe (autostart)
ewido security suite driver: \??\C:\Program Files\ewido\security suite\guard.sys (system)
ewido security suite guard: C:\Program Files\ewido\security suite\ewidoguard.exe (disabled)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\DRIVERS\fltMgr.sys (system)
Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
GEAR CDRom Filter: SYSTEM32\DRIVERS\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)
IntelIde: system32\DRIVERS\intelide.sys (system)
Intel Processor Driver: system32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
AEGIS Protocol (IEEE 802.1x) v2.3.1.10: System32\DRIVERS\mdc8021x.sys (autostart)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
OJDGKR: C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\OJDGKR.exe (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: system32\DRIVERS\pci.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: system32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start)
Serial port driver: system32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: system32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{44644301-5CAC-48B5-8DC0-0D5246A8CCB6} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\system32\tlntsvr.exe (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: system32\DRIVERS\usbhub.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: system32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
vsdatant: System32\vsdatant.sys (system)
TrueVector Internet Monitor: C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service (autostart)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (system)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 32,852 bytes
Report generated in 0.453 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby Kimberly » December 24th, 2005, 1:37 pm

In addition to all the above, I would need a silentrunners log too please.

Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As") to download Silent Runners to your Desktop.
Run Silent Runner's by doubleclicking the Silent Runners icon on your desktop.
You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
Once you receive the prompt "All Done!", it will produce a log named “StartupProgramsâ€
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby wonderwill » December 24th, 2005, 1:38 pm

Kim

Thanks for this. Await your PM with email addy for Rkr zip.

Xmas eve here too (Edinburgh) and lots going on.

Cannot say how much I appreciate your help and hope you have a lovely Xmas.

Regards

Ww
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby Kimberly » December 24th, 2005, 2:12 pm

Hello wonderwill,

I did send you a private message with the email addy. At the top of the forum page, under the Malware Removal logo, you should see : You have 1 new messages - just click that link to read the Private message.

I hope you will have a very nice XMas too. :)

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby Kimberly » December 25th, 2005, 1:18 pm

Hello wonderwill,

First of all, did you perform the cleanup I did post before ? I'll list it again because it's easier for you.

Keep all browsers closed. Click on Start then Control Panel
Double click on the Java plug-in icon (there may be more than one). The Java Control Panel appears.
  1. Click Settings under Temporary Internet Files. The Temporary Files Settings dialog box appears.
  2. Click the Delete Files. The Delete Temporary Files dialog box appears.
    Put a checkmark next to the three options on this window to clear the cache.
    • Downloaded Applets
    • Downloaded Applications
    • Other Files
  3. Click Ok on the Delete Temporary Files window.
  4. Click Ok on Temporary Files Settings window.
If there are other Java plug-in icons... perform the same action on all of them. That should clean out the infected files.
______________________________

Clean out your Temporary Internet files. Procede like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click Apply then OK.
______________________________

Delete the file : C:\q243041.exe
______________________________

I did receive the rkr log, lot's of entries in the log and I still have to review it. Right now I don't see the service in your startup log, it usually does not hide the services registry entries. I doesn't appear to be active unless you have an updated version. I need more information and an answer to a couple of questions.

There's something you should be aware of, this PC might be very seriously compromised. Haxdoor is a rootkit and can hide lot's of things and perform different tasks. Below is a general lookover of what can be done. Haxdoor is also a keylogger and some are also spambots.

Haxdoor :
Steals user names, passwords, and system information and sends it to a remote attacker.
Lowers security settings by blocking access to security-related Web sites and ending security-related processes.
Download files
Execute programs
Control the device driver of the rootkit
Steal passwords stored in Protected Storage
Steal cached passwords by calling WNetEnumCachedPasswords API
Gather dialup connection information
Check if webmoney application is installed on the compromised computer
Steal the ICQ password
Log keystrokes
...

I would suggest the following:

1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.

2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

and what ever else seems appropriate.

To be honest, if I had that bugger on my system, I would reinstall from scratch, but it's up to you. You should be advised that Haxdoor can be extremely difficult to remove, if registry services are hidden you will need the XP cd to get to the recovery console. If you wish to continue and try a removal, or at least see how far the rootkit is active and hidden, perform the tasks below please :

Download WinPFind.zip to your Desktop or to your usual Download Folder.
http://www.bleepingcomputer.com/files/winpfind.php
Extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.
Open the C:\WinPFind folder and double-click on WinPFind.exe.
Click on Configure Scan Options.
Remove all the checkmarks under Folder Options on the left side by clicking the button Remove All, uncheck Run Addon's and click Apply.
Click on the Start Scan button and wait for it to finish.

Please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log file named C:\WinPFind\WinPFind.txt. Please copy that log into your next reply.
______________________________

Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As") to download Silent Runners to your Desktop.
Run Silent Runner's by doubleclicking the Silent Runners icon on your desktop.
You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
Once you receive the prompt "All Done!", it will produce a log named “StartupProgramsâ€
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 298 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware