Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Wireless Lan Internet Failure


  • This topic is locked This topic is locked
16 replies to this topic

#1 Dunskey

Dunskey

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 23 July 2007 - 05:36 PM

Hi all. This is my first post to you and I hope you can help me.

After coming back from university my son's computer refused to access the internet via our wirless LAN. It's wireless card reports a good connection.

I have cleaned the machine with the latest updates of Spybot and Ad-Aware with no success. On starting up I.E. the message "Detecting Proxy Server" appears an the message bar at the bottom of the page. It then refuses to find any internet page. Firefox just refuses to find any page.

No proxy server is set up.

The wireless card shows an IP address for the machine of typically 169.254.108.101, 169.254.60.109 etc. These addresses, which vary, are not in the range served by my wireless router which the machine is set to obtain automatically.

AVG 7.5 shows that the machine is infected with a Trojan horse Downloader.Agent.LZO which leaves a file Windows/temp/startdrv.exe. This file is removed by AVG but it is re-instated upon a reboot.

I can find little info on this variant of Downloader.Agent in order to try to remove it manually, or otherwise. I am trying to avoid re-installing the System. I have attached the Hijack This log and Hijack This Startup list below. I will be grateful for any help you can give me.
Thanks
Dave


-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:11, on 23/07/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Octoshape Streaming Services\Nigel\OctoshapeClient.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Nigel\Application Data\U3\000018474960A523\LaunchPad.exe
K:\Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.250.1:8080
R3 - URLSearchHook: (no name) - {6C3D987E-A99D-8188-8549-B7F4A0AEF002} - DCC_send.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [msag] Preliminary.exe
O4 - HKLM\..\Run: [ABCXYZ] TemplateDongle.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [dmiwd.exe] C:\WINDOWS\System32\dmiwd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [sysconf16] media64.exe
O4 - HKCU\..\Run: [barint] backorif.exe
O4 - HKCU\..\Run: [Serviceprocess] br0ken.exe
O4 - HKCU\..\Run: [con] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\Nigel\OctoshapeClient.exe" -inv:bootrun
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\zpx.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Reversi - http://download2.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{926CF338-14AE-4111-A413-E1ED8B83C618}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC964A25-51CC-464F-9494-679A736BC294}: NameServer = 85.255.116.163,85.255.112.102
O17 - HKLM\System\CCS\Services\Tcpip\..\{E922504F-1ED4-4B34-A18E-E9826B25AA88}: NameServer = 85.255.116.163,85.255.112.102
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9051 bytes

---------------------------------------------------------------------------------------------------------------------------------------------------------------------

StartupList report, 23/07/2007, 12:17:26
StartupList version: 1.52.2
Started from : K:\Documents\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Octoshape Streaming Services\Nigel\OctoshapeClient.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Nigel\Application Data\U3\000018474960A523\LaunchPad.exe
K:\Documents\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?
BTTray.lnk = ?
Exif Launcher.lnk = ?
HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = userinit.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SiSUSBRG = C:\WINDOWS\SiSUSBrg.exe
RemoteControl = "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
CTSysVol = C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
CTDVDDET = C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
AsioReg = REGSVR32.EXE /S CTASIO.DLL
SBDrvDet = C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
LogitechVideoRepair = C:\Program Files\Logitech\Video\ISStart.exe
B'sCLiP = C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
DAEMON Tools-1033 = "C:\Program Files\D-Tools\daemon.exe" -lang 1033
CTHelper = CTHELPER.EXE
CloneCDElbyCDFL = "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
msag = Preliminary.exe
ABCXYZ = TemplateDongle.exe
Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
REGSHAVE = C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
HP Software Update = C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
dmiwd.exe = C:\WINDOWS\System32\dmiwd.exe
AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
RemoteCenter = C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
PowerBar =
sysconf16 = media64.exe
barint = backorif.exe
Serviceprocess = br0ken.exe
con = C:\Windows\xpupdate.exe
RealPlayer = "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
Octoshape Streaming Services = "C:\Program Files\Octoshape Streaming Services\Nigel\OctoshapeClient.exe" -inv:bootrun

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ss3dfo.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Download Program Files:

[Facebook Photo Uploader Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\FacebookPhotoUploader.ocx
CODEBASE = http://upload.facebook.com/controls/Facebo...otoUploader.cab

[SecureLogin class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\securelogin.ocx
CODEBASE = http://secure2.comned.com/signuptemplates/...login-devel.cab

[MSN Games - Installer]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
CODEBASE = http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab

[{D27CDB6E-AE6D-0000-0000-000000000000}]
CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: C:\WINDOWS\System32\zpx.dll (file MISSING)
Protocol #2: C:\WINDOWS\System32\zpx.dll (file MISSING)
Protocol #3: C:\WINDOWS\System32\zpx.dll (file MISSING)
Protocol #4: C:\WINDOWS\System32\zpx.dll (file MISSING)
Protocol #5: C:\WINDOWS\System32\zpx.dll (file MISSING)
Protocol #6: C:\WINDOWS\System32\zpx.dll (file MISSING)
Protocol #7: C:\WINDOWS\System32\zpx.dll (file MISSING)
Protocol #8: C:\WINDOWS\System32\zpx.dll (file MISSING)
Protocol #9: C:\WINDOWS\System32\zpx.dll (file MISSING)
Protocol #10: C:\WINDOWS\System32\zpx.dll (file MISSING)
Protocol #11: C:\WINDOWS\System32\zpx.dll (file MISSING)
Protocol #12: C:\WINDOWS\System32\zpx.dll (file MISSING)
Protocol #13: C:\WINDOWS\System32\zpx.dll (file MISSING)
Protocol #14: C:\WINDOWS\System32\zpx.dll (file MISSING)
Protocol #15: C:\WINDOWS\System32\zpx.dll (file MISSING)
Protocol #16: C:\WINDOWS\System32\zpx.dll (file MISSING)
Protocol #17: C:\WINDOWS\System32\zpx.dll (file MISSING)
Protocol #18: C:\WINDOWS\System32\zpx.dll (file MISSING)
Protocol #19: C:\WINDOWS\System32\zpx.dll (file MISSING)
Protocol #20: C:\WINDOWS\System32\zpx.dll (file MISSING)
Protocol #21: C:\WINDOWS\System32\zpx.dll (file MISSING)
Protocol #22: C:\WINDOWS\System32\zpx.dll (file MISSING)
Protocol #23: C:\WINDOWS\System32\zpx.dll (file MISSING)
Protocol #24: C:\WINDOWS\System32\zpx.dll (file MISSING)
Protocol #25: C:\WINDOWS\System32\zpx.dll (file MISSING)
Protocol #37: C:\WINDOWS\System32\zpx.dll (file MISSING)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\Nigel\LOCALS~1\Temp\~nsu.tmp\Au_.exe||C:\Program Files\GRISOFT\AVG Anti-Rootkit Free\mwn.exe||C:\Program Files\GRISOFT\|||s

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 9,316 bytes
Report generated in 0.234 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:26 AM

Posted 29 July 2007 - 09:39 PM

Hello Dunskey,

Our apologies for the delay. I am looking at your log now and will reply shortly.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:26 AM

Posted 29 July 2007 - 10:32 PM

Hi Dunskey,

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from this site:
http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it.
Click Next, then Install, then make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.

You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts.

 If your system does not reboot, then reboot it manually.

Please boot into Normal Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.”

O4 - HKLM\..\Run: [msag] Preliminary.exe
O4 - HKLM\..\Run: [ABCXYZ] TemplateDongle.exe
O4 - HKLM\..\Run: [dmiwd.exe] C:\WINDOWS\System32\dmiwd.exe
O4 - HKCU\..\Run: [sysconf16] media64.exe
O4 - HKCU\..\Run: [barint] backorif.exe
O4 - HKCU\..\Run: [Serviceprocess] br0ken.exe
O4 - HKCU\..\Run: [con] C:\Windows\xpupdate.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC964A25-51CC-464F-9494-679A736BC294}: NameServer = 85.255.116.163,85.255.112.102
O17 - HKLM\System\CCS\Services\Tcpip\..\{E922504F-1ED4-4B34-A18E-E9826B25AA88}: NameServer = 85.255.116.163,85.255.112.102


Close HijackThis, and click OK to proceed.


* Go to Control Panel. - If you are using Windows XP's Category View, select the Network and Internet Connections category.

If you are in Classic View, go to the next step.

Double-click the Network Connections icon
Right-click the Local Area Connection icon and select Properties.
Higlight Internet Protocol (TCP/IP) and click the Properties button.
Be sure Obtain DNS server address automatically is selected.
OK your way out.

* Go to Start > Run and type in cmd
Click OK.
This will open a command prompt.
Type or copy and paste the following line in the command window:

ipconfig /flushdns

Hit Enter.
Exit the command window.


Reboot your computer again.

Please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 Dunskey

Dunskey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 31 July 2007 - 06:21 PM

Thanks for your reply. It will be a few days before I can action your instructions due to other commitments.

I assume it would be desirable to hard connect the infected computer to the intenet in order to allow Wareout to download the additional file from the internet, rather than rely on the wireless link which seems to have been hijacked.

Dunskey

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:26 AM

Posted 31 July 2007 - 06:53 PM

It really does not matter, as long as you download it and run it.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 Dunskey

Dunskey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 06 August 2007 - 11:44 AM

Ok. I hard connected to the LAN. The computer registered the connection but neither IE or firefox could connect as before with the wireless LAN.

I followed the instructions with the following points of note:

a) Zonealarm registered no attempt by FixWareout to connect to the internet

:thumbsup: The two O17 entries you gave did not exist. Only the following,
O17 - HKLM\System\CCS\Services\Tcpip\..\{926CF338-14AE-4111-A413-E1ED8B83C618}: NameServer = 208.67.220.220,208.67.222.222, which I did not remove

c) On completion, IE and Firefox still do not connect to the internet either by direct LAN or Wireless LAN. IE still seems to be attempting to connect to a proxy server which it has not been set up to do.

Hijack this and FixWareout logs follow. Sorry but I am looking for more help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:12:29, on 06/08/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Octoshape Streaming Services\Nigel\OctoshapeClient.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Nigel\Application Data\U3\000018474960A523\LaunchPad.exe
K:\Documents\HijackThis.exe
C:\WINDOWS\System32\HPZipm12.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.250.1:8080
R3 - URLSearchHook: (no name) - {6C3D987E-A99D-8188-8549-B7F4A0AEF002} - DCC_send.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\Nigel\OctoshapeClient.exe" -inv:bootrun
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\zpx.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Reversi - http://download2.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{926CF338-14AE-4111-A413-E1ED8B83C618}: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8401 bytes

---------------------------------------------------------------------------------------------------------------------------------------


Username "Nigel" - 2007-08-06 16:39:10 [Fixwareout edited 2007/07/05]

»»»»»Prerun check

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{DC964A25-51CC-464F-9494-679A736BC294}
"nameserver"="85.255.116.163,85.255.112.102" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{E922504F-1ED4-4B34-A18E-E9826B25AA88}
"nameserver"="85.255.116.163,85.255.112.102" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

»»»»» Postrun check
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "xedocne" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "gib_ogol" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "repiwoh" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "llun" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "23plhps" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "mgcppp" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "tesvaf" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "32refaselif" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "putesprpgd" Deleted
....
»»»»» Misc files.
C:\Documents and Settings\Nigel\Application Data\Install.dat Deleted
....
»»»»» Checking for older varients.
....

»»»»» Current runs (hklm hkcu "run" Keys Only)

....
Hosts file was reset, If you use a custom hosts file please replace it
C:\WINDOWS\System32\AUTOEXEC.NT missing
»»»»» End report »»»»»

#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:26 AM

Posted 06 August 2007 - 11:59 AM

Hi Dunskey,

Download and run LSPFix from http://cexx.org/lspfix.htm

Use these instructions to remove the bad DLL:
1. Run LSPFix.
2. Check 'I know what I'm doing'.
3. Select zpx.dll
4. Click the right-pointing arrow (moves it to the "remove" page).
5. Click 'Finished'.

6. Restart your computer in "Safe Mode" (F5 or F8 when starting Windows).
7. Delete the file: c:\windows\system32\zpx.dll Do NOT delete ANY other files!
8. Restart your computer and bring it up in normal mode.




Download CCleaner and install it. (default location is best). Do not download the Beta version 2.0. Do not run it yet!

CCleaner Tutorial

*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix."

R3 - URLSearchHook: (no name) - {6C3D987E-A99D-8188-8549-B7F4A0AEF002} - DCC_send.dll (file missing)
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab



*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Finally, reboot your computer, post a new Hijackthis log, and tell me how your computer is running.

Edited by SifuMike, 06 August 2007 - 12:06 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 Dunskey

Dunskey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 07 August 2007 - 03:24 PM

Ok. Things are looking better. The computer can now connect to the wireless LAN and access the internet but there are still some problems.

Startdrv.exe is still re-appearing in c:\windows\temp after each reboot despite AVG having previously detected it as a threat and sent it to the virus vault.

I am not convinced that the Lan is operating totally correctly as I cannot access shared folders across the LAN between my main computer and the problem one. This applies in either direction. I do not think I have missed anything.

HijackThis log follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:18:50, on 07/08/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Nigel\Application Data\U3\000018474960A523\LaunchPad.exe
K:\Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.250.1:8080
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\Nigel\OctoshapeClient.exe" -inv:bootrun
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Reversi - http://download2.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{926CF338-14AE-4111-A413-E1ED8B83C618}: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7996 bytes

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:26 AM

Posted 07 August 2007 - 04:19 PM

Hi Dunskey,

Startdrv.exe is still re-appearing in c:\windows\temp after each reboot despite AVG having previously detected it as a threat and sent it to the virus vault.


That sounds like you still have a trojan hiding on your computer.
Lets run two scans and see what they find.

You will need to use Internet Explorer for this scan.
Disable your antivirus program and go here to run BitDefender Online Scan.
Click on I Agree.
Avoid clicking on other links as you don't need to try out the full install at this point, just the online scanner.

When the ActiveX Control has loaded, click on "Click here to scan".
Please be patient, as this scan may take a few hours. It all depends on the number of files on your computer.

NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat the BitDefender Online Scan.


When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.


******************

Download and install AVG Anti-Spyware v7.5.
  • After download, double click on the file to launch the install process.
  • Choose a language, click "OK" and then click "Next".
  • Read the "License Agreement" and click "I Agree".
  • Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
  • After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
  • Connect to the Internet, go back to AVG Anti-Spyware, select the "Update" button and click "Start update". Wait until you see the "Update successful" message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here.
  • Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.
Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". (Note: When run in safe mode, sometimes the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them unaccessible for doing a scan. If this is the case, press the WINKEY + M key to "Minimize" the AVG display. Then right-click on AVG in the Task Bar and select "Maximize". If that does not help, then you may have to run your scan in normal mode and advise your helper afterwards.)

Scan with AVG Anti-Spyware as follows:
  • Click on the "Scanner" button and choose the "Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?", "Possibly unwanted software", and What to Scan?" leave all the default settings.
  • Under "Reports" select "Do not automatically generate reports " and UNcheck "Only if threats were found".
  • Click the "Scan" tab to return to scanning options.
  • Click "Complete System Scan" to start.
  • When the scan has finished, it should automatically be set to Quarantine--if not click on Recommended Action and set it there.
  • You will also be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.
  • Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop.
    A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
  • Exit AVG Anti-Spyware when done, reboot normally and submit the log report in your next response.
Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can can continue to use as an on-demand scanner or you may purchase a license to use the full version.

When done, submit the BitDefender log, the AVG Anti-Spyware 7.5 log and a fresh Hijackthis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Dunskey

Dunskey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 09 August 2007 - 07:14 PM

An interesting aside here as I have yet to perform the scans you requested. When I attemped to access bleepingcomputer site from the infected computer, to check your instructions, bleepingcomputer could not be found. A little further investigation shows that your site is being sysematically blocked, presumably by the virus.

I cannot access it either by typing in the name in the address bar, or from a Google search result!

A dubious accolade!!!! but maybe you should be honoured. You must be doing something right :thumbsup:

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:26 AM

Posted 09 August 2007 - 09:59 PM

Hi Dunskey,

Let reset the Hosts file and see if that fixes the access problems.



Download the HostsXpert Here
http://www.funkytoad.com/download/HostsXpert.zip

Unzip HostsXpert to your desktop

Open up the HostsXpert program.

* Make sure that the "make hosts writable?" button in the upper left corner is enabled.
* Click back up Host files
* then click "Restore MS Hosts File"
* close program

Now see if you can reach the BitDefender Online Scanner site, AVG antispyware site and Bleeping Computers site.

Edited by SifuMike, 09 August 2007 - 10:01 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 Dunskey

Dunskey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 11 August 2007 - 10:25 AM

Hi SifuMike,

I ran HostsXpert and it made no difference. Bleepingcomputer remained inaccessible. It is the only site so far that I have found that appears to be blocked.

I ran Bitdefender Online, however, in its infinate wisdom, IE decided to develop a serious internal fault late on in the scan and dumped all the results.

I can, however, remember some of what was detected and, I think, deleted. They included c:\ms32.sys, some warezp2p associated files, a Fruityloops registration file (early instaled software so this may be a false hit), and a number of Restore backup files.

I re-ran Bitdefender on each disk independently. Only the System Disk is infected (log attached which shows some of the original removals occuring again).

I ran AVG Anti-Spyware. This removed a number of items, (log attached) and finally a fresh HijackThis log.

Bleepingcomputer still remains blocked no matter how I try to access your site.

-------------------------------------------------------------------------------------------------------------------------------


BitDefender Online Scanner



Scan report generated at: Sat, Aug 11, 2007 - 11:41:09





Scan path: D:\Administration Documents\18 WoS Pedal to the Metal;D:\Administration Documents\Bluetooth Exchange Folder;D:\Administration Documents\CyberLink;D:\Administration Documents\FIFA 2005;D:\Administration Documents\My Music;D:\Administration Documents\My Pictures;D:\Administration Documents\My Videos;D:\Administration Documents\SCi;D:\Administration Documents\Shared;C:\Documents and Settings\All Users\Documents;C:\;







Statistics

Time
01:14:01

Files
238347

Folders
6318

Boot Sectors
5

Archives
1206

Packed Files
9467




Results

Identified Viruses
3

Infected Files
3

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
3




Engines Info

Virus Definitions
690733

Engine build
AVCORE v1.0 (build 2410) (i386) (Jun 12 2007 21:08:27)

Scan plugins
14

Archive plugins
37

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\Nigel\Desktop\WarezP2P_TDL.exe=>(NSIS o)=>lzma_solid_nsis0039
Infected with: Dropped:Application.Adware.NewDotNet.A

C:\Documents and Settings\Nigel\Desktop\WarezP2P_TDL.exe=>(NSIS o)=>lzma_solid_nsis0039
Disinfection failed

C:\Documents and Settings\Nigel\Desktop\WarezP2P_TDL.exe=>(NSIS o)=>lzma_solid_nsis0039
Deleted

C:\Documents and Settings\Nigel\Desktop\WarezP2P_TDL.exe=>(NSIS o)
Update failed

C:\Documents and Settings\Nigel\Desktop\WarezP2P_TDL.exe=>(NSIS o)=>lzma_solid_nsis0040
Infected with: Trojan.Downloader.Swizzor.DO

C:\Documents and Settings\Nigel\Desktop\WarezP2P_TDL.exe=>(NSIS o)=>lzma_solid_nsis0040
Disinfection failed

C:\Documents and Settings\Nigel\Desktop\WarezP2P_TDL.exe=>(NSIS o)=>lzma_solid_nsis0040
Deleted

C:\Documents and Settings\Nigel\Desktop\WarezP2P_TDL.exe=>(NSIS o)
Update failed

C:\Program Files\Common Files\Wise Installation Wizard\WIS6E710E826D6748899DCF9D07587628C5_4_1.MSI=>(Embedded CAB)=>Register.exe
Infected with: Trojan.Clicker.Delf.G

C:\Program Files\Common Files\Wise Installation Wizard\WIS6E710E826D6748899DCF9D07587628C5_4_1.MSI=>(Embedded CAB)=>Register.exe
Disinfection failed

C:\Program Files\Common Files\Wise Installation Wizard\WIS6E710E826D6748899DCF9D07587628C5_4_1.MSI=>(Embedded CAB)=>Register.exe
Deleted

C:\Program Files\Common Files\Wise Installation Wizard\WIS6E710E826D6748899DCF9D07587628C5_4_1.MSI=>(Embedded CAB)
Update failed

------------------------------------------------------------------------------------------------------------------------------------

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 15:12:53 11/08/2007

+ Scan result:



HKLM\SOFTWARE\IST -> Adware.ISTBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0934675-0CE2-48F6-A349-E9B8B49AA44D}\RP118\A0059021.dll -> Adware.WinAD : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0934675-0CE2-48F6-A349-E9B8B49AA44D}\RP112\A0055270.sys -> Downloader.Agent.acl : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\startdrv.exe -> Downloader.Agent.brk : Cleaned with backup (quarantined).
C:\Program Files\Sega\SONICADVENTUREDX\Patch.exe -> Not-A-Virus.Monitor.Win32.Perflogger.be : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0934675-0CE2-48F6-A349-E9B8B49AA44D}\RP112\A0055268.dll -> Proxy.Dlena.cq : Cleaned with backup (quarantined).
:mozilla.255:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.131:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.132:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.133:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.155:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.162:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.455:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.494:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.182:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.183:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.186:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.272:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.273:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.274:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.275:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.276:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.277:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.278:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.279:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.280:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.592:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@2.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@3.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@stats.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.107:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.108:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.109:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.110:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.111:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.112:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.83:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.85:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.41:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.42:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.49:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.50:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.51:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.215:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Adviva : Cleaned.
:mozilla.216:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Adviva : Cleaned.
:mozilla.16:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\D A Brownsea\Cookies\d a brownsea@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.189:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.624:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned.
:mozilla.625:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@cz4.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned.
:mozilla.320:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.321:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.322:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.323:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.324:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.325:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.326:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.327:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.328:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.329:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@connextra[2].txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.679:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Cqcounter : Cleaned.
:mozilla.20:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.141:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.301:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.33:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.34:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.35:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.37:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.40:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.48:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.449:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned.
:mozilla.156:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.157:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.733:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@intelli-direct[1].txt -> TrackingCookie.Intelli-direct : Cleaned.
:mozilla.456:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Ivwbox : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@search.live[1].txt -> TrackingCookie.Live : Cleaned.
:mozilla.713:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
:mozilla.143:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.144:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@auto.search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
:mozilla.94:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.95:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@oewabox[1].txt -> TrackingCookie.Oewabox : Cleaned.
:mozilla.740:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.741:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.742:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.743:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.218:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.219:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.220:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.224:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@data4.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
:mozilla.32:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\D A Brownsea\Cookies\d a brownsea@www.paypal[2].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@ads.planetactive[1].txt -> TrackingCookie.Planetactive : Cleaned.
:mozilla.145:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.146:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.566:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.15:C:\Documents and Settings\D A Brownsea\Application Data\Mozilla\Firefox\Profiles\zfkc4gz8.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.16:C:\Documents and Settings\D A Brownsea\Application Data\Mozilla\Firefox\Profiles\zfkc4gz8.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.17:C:\Documents and Settings\D A Brownsea\Application Data\Mozilla\Firefox\Profiles\zfkc4gz8.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.18:C:\Documents and Settings\D A Brownsea\Application Data\Mozilla\Firefox\Profiles\zfkc4gz8.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.315:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.571:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.572:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.573:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.574:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.575:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.576:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.342:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.343:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.344:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.345:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.346:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.347:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.348:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.349:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.350:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.351:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.352:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.353:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.354:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.355:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.356:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.357:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.358:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.359:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.360:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.361:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.362:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.363:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.364:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.365:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.366:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.367:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.368:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.369:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.370:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.371:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.372:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.373:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.374:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.375:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.376:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.377:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.378:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.379:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.380:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.381:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.382:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.383:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.384:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.385:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.386:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.387:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.388:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.389:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.390:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.391:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.753:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.754:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.755:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.585:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.586:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.587:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.588:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.589:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Spylog : Cleaned.
:mozilla.597:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.598:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.599:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.76:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.58:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.336:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Xhit : Cleaned.
:mozilla.670:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@yadro[2].txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.65:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.66:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.67:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.68:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.69:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.70:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.71:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.75:C:\Documents and Settings\Nigel\Application Data\Mozilla\Firefox\Profiles\f256e34a.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Nigel\Cookies\nigel@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end

-----------------------------------------------------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:40:31, on 11/08/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\Program Files\Octoshape Streaming Services\Nigel\OctoshapeClient.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Nigel\Application Data\U3\000018474960A523\LaunchPad.exe
K:\Documents\HijackThis.exe
C:\WINDOWS\System32\HPZipm12.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.250.1:8080
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\Nigel\OctoshapeClient.exe" -inv:bootrun
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Reversi - http://download2.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{926CF338-14AE-4111-A413-E1ED8B83C618}: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8755 bytes

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:26 AM

Posted 11 August 2007 - 12:27 PM

Hi Dunskey,


Lets check your HOSTS file.
It's located at c:\windows\system32\drivers\etc\hosts.
You can open it up in Notepad.
If it's just some lines on top with a # in front of it and followed by 127.0.0.1 localhost, then you don't need to post it;
however, if there are others following 127.0.0.1 localhost, you may have to fix it.
Post it here if that's the case.



* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously, along with a new HijackThis log in your next reply.


As a sidenote - I see you're not afraid of visiting cracksites - using illegal software. Because from the logs I can see that you installed some programs that appear on cracksites to get access to te cracks. They install the malware on your system.

If you visit cracksites, use cracks, you'll ALWAYS get infected. This not only because of the crack itself, but because one single click entering that site may already download and install a huge malware bundle.

You really have to change your surfing habits, because these malware bundles may contain a keylogger, collecting all your passwords and installing other random malware, compromising your system including infecting other computers. And this all, because you visited some illegal sites.

Also, keep in mind, malware DAMAGES A LOT! And the damage can't always be repaired, so a format and reinstall is the only solution in such cases. :thumbsup:

So is it really worth it? Get illegal software for "free", but compromise/break your computer instead....

Better to avoid this instead and change your surfing habits. Then this wouldn't have happened.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 Dunskey

Dunskey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 12 August 2007 - 06:14 AM

Hi SifuMike,

Yes I fully agree with you about cracksites. However, this is not my computer but my sons.

Having explained to him the error of his ways, I am left to clear up the mess :flowers: , with your assistance of course :thumbsup:

#15 Dunskey

Dunskey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 18 August 2007 - 11:01 AM

Hi SifuMike,

The Latest:

The Hosts file was ok.
DrWeb did not find anything in memory but did find the Warezp2p that has been deleted before. It also mistook and removed the HostsXpert program that I loaded to the desktop earlier.

On a whim I uninstalled the Demon Tools program that creates a pseudo CD drive in case it was the source of the reoccurring c:\windows\tem\Startdrv.exe that AVG keeps finding as a virus. I note that only AVG so far has identified this file.

Demon tools was not the culprit and it is still re-appearing after each reboot. Bleepingcomputer.com is still not accessible from IE or Firefox.

DrWeb and HijackThis logs follow:

-------------------------------------------------------------------------------------------------------------------

DrWeb

HostsXpert.exe;C:\Documents and Settings\Nigel\Desktop;Probably WIN.WORM.Virus;Incurable.Moved.;
WarezP2P_TDL.exe;C:\Documents and Settings\Nigel\Desktop;Adware.NewDotNet;Incurable.Moved.;


--------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:15:23, on 18/08/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Octoshape Streaming Services\Nigel\OctoshapeClient.exe
C:\Documents and Settings\Nigel\Application Data\U3\000018474960A523\LaunchPad.exe
K:\Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.250.1:8080
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\Nigel\OctoshapeClient.exe" -inv:bootrun
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Reversi - http://download2.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{926CF338-14AE-4111-A413-E1ED8B83C618}: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8710 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users