Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde And Ndrv.exe Virus


  • This topic is locked This topic is locked
7 replies to this topic

#1 Rayth

Rayth

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 23 August 2007 - 08:47 PM

My Symantec anti-virus is picking up ndrv.exe downloader virus in C:\Docume~1\Marvin\Locals~1\Temp\. My Spy-bot search and destroy is picking up Virtumonde adware. I've used both programs to clear up both in safe mode, but they both keep reappearing around the same time. Are they related? Please help me remove them permanently.

Please keep in mind that I have Blazing Tools Perfect Keylogger Lite installed on purpose. Please disregard those entries.
Follows is Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:33:31 PM, on 8/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
E:\Programs\WIDCOMM\Bluetooth Software\bin\btwdins.exe
e:\programs\power panel\upssrv.exe
E:\Symantec\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
e:\programs\power panel\upsio.exe
E:\Symantec\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\cryptainersrv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
E:\Symantec\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LVCOMSX.EXE
C:\Program Files\Perfect Keylogger Lite\bpk.exe
C:\WINNT\NCLAUNCH.EXe
C:\WINNT\SCURIT~1\msiexec.exe
C:\Documents and Settings\Marvin\My Documents\s?stem\r?gedit.exe
E:\Programs\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Programs\Hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft

Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = *.r2.attbi.com;;localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

E:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4E6D49F7-F76D-FACE-1C11-FE8DBD2A85BC} - C:\WINNT\system32

\qyu.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

E:\Programs\Spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: Merriam-Webster Online BHO - {5ADA9CAC-04F9-4DD2-ABFD-74D673BE8624} -

C:\WINNT\_MWOLTB.DLL
O2 - BHO: (no name) - {C0C1A50A-43CB-1C3A-BD5E-4A76126100E5} - C:\WINNT\system32

\eowq.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} -

C:\WINNT\_MWOLTB.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32

\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINNT\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef

/Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINNT\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA

Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32

\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [vptray] E:\Symantec\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [BPK] C:\Program Files\Perfect Keylogger Lite\bpk.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] E:\Logitech\Video\ManifestEngine.exe

boot
O4 - HKCU\..\Run: [NCLaunch] C:\WINNT\NCLAUNCH.EXe
O4 - HKCU\..\Run: [NBJ] "E:\Program Files\ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!

\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ISMModule] "C:\Program Files\ISM\ISMModule.exe"
O4 - HKCU\..\Run: [Tssr] "C:\WINNT\SCURIT~1\msiexec.exe" -vt yazb
O4 - HKCU\..\Run: [Shsvmva] "C:\Documents and Settings\Marvin\My Documents\s?

stem\r?gedit.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet

Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe

(User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet

Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet

Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet

Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: MWOL &Dictionary -

res://C:\WINNT\_MWOLTB.DLL/23/219
O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINNT\_MWOLTB.DLL/23/220
O8 - Extra context menu item: Send To &Bluetooth - E:\Programs\WIDCOMM\Bluetooth

Software\btsendto_ie_ctx.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -

C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-

00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} -

C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-

12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} -

E:\Programs\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-

5C8D4460577F} - E:\Programs\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} -

C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-

800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -

C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online

Toolbar) - http://www.m-w.com/downloads/toolbar/webinstall.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -

http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

http://a1540.g.akamai.net/7/1540/52/200207...com/samantha/us

/win/QuickTimeInstaller.exe
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} -

http://www.kungfuchess.com/activex/web580.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader

Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/...ient/wuweb_site.

cab?1126895265483
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://www.update.microsoft.com/microsoftu...86/client/muweb

_site.cab?1187590007031
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) -

http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC064CA5-538C-44C8-BA47-53012A3880AE}:

NameServer = 201.200.24.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C059D459-7622-4133-BEF7-61531CA8060F}:

NameServer = 192.168.0.10,192.168.0.1
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. -

E:\Programs\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program

Files\Canon\CAL\CALMAIN.exe
O23 - Service: UPS Service (CyberPowerUPS) - Cyber Power System Inc. -

e:\programs\power panel\upssrv.exe
O23 - Service: DefWatch - Symantec Corporation -

E:\Symantec\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -

C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec

Corporation - E:\Symantec\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINNT\System32\nvsvc32.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix Software (India) Pvt.

Ltd. - C:\WINNT\SYSTEM32\cryptainersrv.exe
O24 - Desktop Component 0: (no name) -

http://www.geocities.com/SiliconValley/660...ion/batana1.gif

--
End of file - 9285 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 24 August 2007 - 07:57 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Rayth :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

The current formatting of your log makes it difficult to read/evaluate.
Open 'Notepad',click on 'Format' at the top,then uncheck 'Word Wrap' if it's checked.

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 Rayth

Rayth
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 24 August 2007 - 09:49 AM

Thanks for helping me. These are the logs you wanted:

Combofix

ComboFix 07-08-24.4 - "Marvin" 2007-08-24 7:32:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1105 [GMT -7:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Marvin\STARTM~1\Programs\Outerinfo
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\WINNT\scurit~1
C:\WINNT\scurit~1\msiexec.exe
C:\WINNT\scurit~1\s?curity\
C:\WINNT\system32\drivers\sfsync02.sys
C:\WINNT\system32\eowq.dll
C:\WINNT\system32\stem~1
C:\WINNT\system32\wnsapisv32.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_SFSYNC02
-------\sfsync02


((((((((((((((((((((((((( Files Created from 2007-07-24 to 2007-08-24 )))))))))))))))))))))))))))))))


2007-08-24 07:30 51,200 --a------ C:\WINNT\nircmd.exe
2007-08-21 07:43 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-20 20:44 271,224 --a------ C:\WINNT\system32\mucltui.dll
2007-08-02 21:25 <DIR> d-------- C:\VundoFix Backups
2007-08-01 17:19 3,968 --a------ C:\WINNT\system32\drivers\AvgArCln.sys
2007-07-31 18:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-22 18:02 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink
2007-07-30 19:19 92504 --a------ C:\WINNT\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINNT\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINNT\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINNT\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINNT\system32\wucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINNT\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINNT\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINNT\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINNT\system32\wups.dll
2007-07-29 19:57 43520 --a------ C:\WINNT\system32\CmdLineExt03.dll
2007-07-26 18:25 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-18 20:36 --------- d-------- C:\Program Files\Lexmark X1100 Series
2007-06-26 18:30 --------- d-------- C:\DOCUME~1\Marvin\APPLIC~1\Snapfish
2007-06-26 18:30 --------- d-------- C:\DOCUME~1\Marvin\APPLIC~1\Snapfish
2007-06-25 23:08 1104896 --a------ C:\WINNT\system32\msxml3.dll
2007-06-19 06:31 282112 --a------ C:\WINNT\system32\gdi32.dll
2007-06-13 03:23 1033216 --a------ C:\WINNT\explorer.exe
2006-01-20 19:21 346 --a------ C:\Program Files\INSTALL.LOG
2003-12-18 12:33 20102 --a------ C:\Program Files\Readme.txt
2003-11-02 16:17 32768 --ahs---- C:\Program Files\Thumbs.db
2003-09-03 08:46 10960 --a------ C:\Program Files\EULA.txt
2001-12-16 16:51 271 ---hs---- C:\Program Files\desktop.ini
2001-12-16 16:51 21952 --ah----- C:\Program Files\folder.htt
2003-11-24 03:47:54 8 --sha-r C:\WINNT\system32\39BCC6255F.sys
2003-11-24 03:50:08 2,828 --sha-w C:\WINNT\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E6D49F7-F76D-FACE-1C11-FE8DBD2A85BC}]
C:\WINNT\system32\qyu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINNT\System32\NvCpl.dll" [2005-08-02 16:35]
"IMJPMIG8.1"="C:\WINNT\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 22:31]
"IMEKRMIG6.1"="C:\WINNT\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 12:00]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 20:51]
"nwiz"="nwiz.exe" [2005-08-02 16:35 C:\WINNT\system32\nwiz.exe]
"NvMediaCenter"="C:\WINNT\System32\NvMcTray.dll" [2005-08-02 16:35]
"vptray"="E:\Symantec\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 12:35]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [2001-07-09 12:50]
"LVCOMSX"="C:\WINNT\system32\LVCOMSX.EXE" [2005-07-19 18:32]
"QuickTime Task"="C:\QuickTime\qttask.exe" [2005-12-05 21:37]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WebCamRT.exe"="" []
"BPK"="C:\Program Files\Perfect Keylogger Lite\bpk.exe" [2004-04-19 22:20]
"LogitechSoftwareUpdate"="E:\Logitech\Video\ManifestEngine.exe" [2005-06-08 15:44]
"NCLaunch"="C:\WINNT\NCLAUNCH.EXe" [2006-05-26 18:28]
"NBJ"="E:\Program Files\ahead\Nero BackItUp\NBJ.exe" [2004-07-26 20:14]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22]
"ISMModule"="C:\Program Files\ISM\ISMModule.exe" []
"Tssr"="C:\WINNT\SCURIT~1\msiexec.exe" []
"Shsvmva"="C:\Documents and Settings\Marvin\My Documents\s?stem\r?gedit.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINNT\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINNT\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"E:\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
"C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
e:\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
e:\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINNT\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINNT\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware-Cop]
"e:\spy\Spyware-Cop.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\Winampa.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

R2 ssoftnt4;ssoftnt4;\??\C:\WINNT\system32\Drivers\ssoftnt4.sys
R3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;C:\WINNT\system32\DRIVERS\ngrpci.sys
S3 ipgd;IC Plus IP1000 Family Gigabit Ethernet Adapter Driver;C:\WINNT\system32\DRIVERS\ipgdnd51.sys
S3 itchfltr;iTouch Keyboard Filter;C:\WINNT\system32\DRIVERS\itchfltr.sys
S3 lne100tx;Linksys LNE100TX Fast Ethernet PCI Adapter;C:\WINNT\system32\DRIVERS\lne100tx.sys
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINNT\system32\DRIVERS\CamDrL21.sys
S3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINNT\system32\drivers\sis7012.sys
S3 WBHWDOCT;Winbond GPIO Driver1;C:\WINNT\system32\drivers\WBHWDOCT.sys


Contents of the 'Scheduled Tasks' folder
2003-10-17 03:29:16 C:\WINNT\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-24 07:41:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-24 7:44:40 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-24 07:44

--- E O F ---
HiJackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:33:31 PM, on 8/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
E:\Programs\WIDCOMM\Bluetooth Software\bin\btwdins.exe
e:\programs\power panel\upssrv.exe
E:\Symantec\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
e:\programs\power panel\upsio.exe
E:\Symantec\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\cryptainersrv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
E:\Symantec\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LVCOMSX.EXE
C:\Program Files\Perfect Keylogger Lite\bpk.exe
C:\WINNT\NCLAUNCH.EXe
C:\WINNT\SCURIT~1\msiexec.exe
C:\Documents and Settings\Marvin\My Documents\s?stem\r?gedit.exe
E:\Programs\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Programs\Hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r2.attbi.com;;localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4E6D49F7-F76D-FACE-1C11-FE8DBD2A85BC} - C:\WINNT\system32\qyu.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Programs\Spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: Merriam-Webster Online BHO - {5ADA9CAC-04F9-4DD2-ABFD-74D673BE8624} - C:\WINNT\_MWOLTB.DLL
O2 - BHO: (no name) - {C0C1A50A-43CB-1C3A-BD5E-4A76126100E5} - C:\WINNT\system32\eowq.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINNT\_MWOLTB.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINNT\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINNT\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [vptray] E:\Symantec\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [BPK] C:\Program Files\Perfect Keylogger Lite\bpk.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] E:\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [NCLaunch] C:\WINNT\NCLAUNCH.EXe
O4 - HKCU\..\Run: [NBJ] "E:\Program Files\ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ISMModule] "C:\Program Files\ISM\ISMModule.exe"
O4 - HKCU\..\Run: [Tssr] "C:\WINNT\SCURIT~1\msiexec.exe" -vt yazb
O4 - HKCU\..\Run: [Shsvmva] "C:\Documents and Settings\Marvin\My Documents\s?stem\r?gedit.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINNT\_MWOLTB.DLL/23/219
O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINNT\_MWOLTB.DLL/23/220
O8 - Extra context menu item: Send To &Bluetooth - E:\Programs\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Programs\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Programs\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.m-w.com/downloads/toolbar/webinstall.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.kungfuchess.com/activex/web580.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1126895265483
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187590007031
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC064CA5-538C-44C8-BA47-53012A3880AE}: NameServer = 201.200.24.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C059D459-7622-4133-BEF7-61531CA8060F}: NameServer = 192.168.0.10,192.168.0.1
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - E:\Programs\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: UPS Service (CyberPowerUPS) - Cyber Power System Inc. - e:\programs\power panel\upssrv.exe
O23 - Service: DefWatch - Symantec Corporation - E:\Symantec\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\Symantec\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix Software (India) Pvt. Ltd. - C:\WINNT\SYSTEM32\cryptainersrv.exe
O24 - Desktop Component 0: (no name) - http://www.geocities.com/SiliconValley/660...ion/batana1.gif

--
End of file - 9285 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 24 August 2007 - 10:15 AM

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {4E6D49F7-F76D-FACE-1C11-FE8DBD2A85BC} - C:\WINNT\system32\qyu.dll (file missing)
O2 - BHO: (no name) - {C0C1A50A-43CB-1C3A-BD5E-4A76126100E5} - C:\WINNT\system32\eowq.dll
O4 - HKCU\..\Run: [Tssr] "C:\WINNT\SCURIT~1\msiexec.exe" -vt yazb
O4 - HKCU\..\Run: [Shsvmva] "C:\Documents and Settings\Marvin\My Documents\s?stem\r?gedit.exe"
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe

Exit Hijackthis.

Now run AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

1) Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

2) Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done,then restart your pc.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#5 Rayth

Rayth
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 24 August 2007 - 09:08 PM

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:53:48 PM 8/24/2007

+ Scan result:



C:\System Volume Information\_restore{7A307FEF-E449-419F-B1DB-901B094692B4}\RP1\A0000127.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7A307FEF-E449-419F-B1DB-901B094692B4}\RP2\A0000319.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7A307FEF-E449-419F-B1DB-901B094692B4}\RP2\A0000320.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINNT\system32\Mservice.dll -> Downloader.Wintrim.cj : Cleaned with backup (quarantined).
C:\Documents and Settings\Marvin\Desktop\Random Stuff\Temp Download\Adobe_Photoshop_v7[1].0_Keygen.zip/keygen.exe -> Logger.Delf.ncs : Cleaned with backup (quarantined).
C:\Program Files\Perfect Keylogger Lite\lview.exe -> Logger.Peflog.34 : Ignored.
HKLM\SOFTWARE\Blazing Tools\Perfect Keylogger -> Logger.PerfectKeylogger : Ignored.
HKLM\SOFTWARE\Blazing Tools\Perfect Keylogger\1.0 -> Logger.PerfectKeylogger : Ignored.
HKU\S-1-5-21-606747145-1580436667-1343024091-1003\Software\Blazing Tools\Perfect Keylogger -> Logger.PerfectKeylogger : Ignored.
HKU\S-1-5-21-606747145-1580436667-1343024091-1003\Software\Blazing Tools\Perfect Keylogger\1.0 -> Logger.PerfectKeylogger : Ignored.
C:\Documents and Settings\Marvin\Desktop\Random Stuff\trick.exe -> Not-A-Virus.BadJoke.Win32.FakeDel.e : Ignored.
C:\Documents and Settings\Marvin\Desktop\Random Stuff\bad_boobs.exe -> Not-A-Virus.BadJoke.Win32.KnijpMe : Ignored.
C:\Program Files\Perfect Keylogger Lite\bpk.exe -> Not-A-Virus.Monitor.Win32.Perflogger.a : Ignored.
C:\Program Files\Perfect Keylogger Lite\bsdhooks.dll -> Not-A-Virus.Monitor.Win32.Perflogger.a : Ignored.
[2292] C:\Program Files\Perfect Keylogger Lite\bpk.exe -> Not-A-Virus.Monitor.Win32.Perflogger.a : Ignored.
E:\Programs\Password Revealer\iepv.zip/iepv.exe -> Not-A-Virus.PSWTool.Win32.IEPassView.b : Ignored.
E:\Programs\Password Revealer\iepv\iepv.exe -> Not-A-Virus.PSWTool.Win32.IEPassView.b : Ignored.
:mozilla.10:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.116:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.11:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.12:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.13:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.14:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.15:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.16:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.178:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.17:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.18:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.19:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.274:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.297:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.61:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.64:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.8:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.9:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.22:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.23:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.87:C:\Documents and Settings\Raechelle\Application Data\Mozilla\Firefox\Profiles\x4ly34la.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.88:C:\Documents and Settings\Raechelle\Application Data\Mozilla\Firefox\Profiles\x4ly34la.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@adorigin[1].txt -> TrackingCookie.Adorigin : Cleaned.
:mozilla.18:C:\Documents and Settings\Raechelle\Application Data\Mozilla\Firefox\Profiles\x4ly34la.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.19:C:\Documents and Settings\Raechelle\Application Data\Mozilla\Firefox\Profiles\x4ly34la.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.20:C:\Documents and Settings\Raechelle\Application Data\Mozilla\Firefox\Profiles\x4ly34la.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.21:C:\Documents and Settings\Raechelle\Application Data\Mozilla\Firefox\Profiles\x4ly34la.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.22:C:\Documents and Settings\Raechelle\Application Data\Mozilla\Firefox\Profiles\x4ly34la.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.31:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\87pnti8g.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.32:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\87pnti8g.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.33:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\87pnti8g.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.34:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\87pnti8g.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.13:C:\Documents and Settings\Raechelle\Application Data\Mozilla\Firefox\Profiles\x4ly34la.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.47:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.8:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\87pnti8g.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Marvin\Cookies\marvin@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.53:C:\Documents and Settings\Raechelle\Application Data\Mozilla\Firefox\Profiles\x4ly34la.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.54:C:\Documents and Settings\Raechelle\Application Data\Mozilla\Firefox\Profiles\x4ly34la.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.56:C:\Documents and Settings\Raechelle\Application Data\Mozilla\Firefox\Profiles\x4ly34la.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.57:C:\Documents and Settings\Raechelle\Application Data\Mozilla\Firefox\Profiles\x4ly34la.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.58:C:\Documents and Settings\Raechelle\Application Data\Mozilla\Firefox\Profiles\x4ly34la.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.59:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\87pnti8g.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.60:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\87pnti8g.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.61:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\87pnti8g.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@cz9.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned.
:mozilla.327:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Cnn : Cleaned.
:mozilla.67:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.68:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.69:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.70:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.25:C:\Documents and Settings\Raechelle\Application Data\Mozilla\Firefox\Profiles\x4ly34la.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.41:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\87pnti8g.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@ads.euniverseads[1].txt -> TrackingCookie.Euniverseads : Cleaned.
:mozilla.45:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\87pnti8g.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.46:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\87pnti8g.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.47:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\87pnti8g.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.124:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Hotlog : Cleaned.
:mozilla.129:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.130:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
C:\Documents and Settings\Raechelle\Cookies\raechelle@search.live[1].txt -> TrackingCookie.Live : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@sec1.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.43:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\87pnti8g.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.48:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\87pnti8g.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.84:C:\Documents and Settings\Raechelle\Application Data\Mozilla\Firefox\Profiles\x4ly34la.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.85:C:\Documents and Settings\Raechelle\Application Data\Mozilla\Firefox\Profiles\x4ly34la.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@search.msn[2].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Raechelle\Cookies\raechelle@auto.search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\Marvin\Cookies\marvin@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.213:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.215:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.370:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.28:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.29:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.30:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.31:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.222:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.223:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.226:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.74:C:\Documents and Settings\Raechelle\Application Data\Mozilla\Firefox\Profiles\x4ly34la.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.75:C:\Documents and Settings\Raechelle\Application Data\Mozilla\Firefox\Profiles\x4ly34la.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Marvin\Cookies\marvin@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.240:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.241:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.242:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.243:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.24:C:\Documents and Settings\Raechelle\Application Data\Mozilla\Firefox\Profiles\x4ly34la.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.40:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\87pnti8g.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.42:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\87pnti8g.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.244:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.245:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.246:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.247:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.248:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.249:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.250:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.92:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.93:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.94:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.256:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.257:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.258:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.259:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.260:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.261:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.59:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.270:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.271:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.272:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.273:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.278:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.279:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.280:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.286:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.287:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.288:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.289:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.290:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.291:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.292:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.49:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\87pnti8g.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.50:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\87pnti8g.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.51:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\87pnti8g.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.52:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\87pnti8g.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.53:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\87pnti8g.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.54:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\87pnti8g.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.55:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\87pnti8g.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.69:C:\Documents and Settings\Raechelle\Application Data\Mozilla\Firefox\Profiles\x4ly34la.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.70:C:\Documents and Settings\Raechelle\Application Data\Mozilla\Firefox\Profiles\x4ly34la.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.10:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\87pnti8g.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.11:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\87pnti8g.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.12:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\87pnti8g.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.293:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.90:C:\Documents and Settings\Raechelle\Application Data\Mozilla\Firefox\Profiles\x4ly34la.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@www.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@free.wegcash[1].txt -> TrackingCookie.Wegcash : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@yadro[2].txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.322:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.323:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.324:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.325:C:\Documents and Settings\Marvin\Application Data\Mozilla\Firefox\Profiles\default.ug0\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.45:C:\Documents and Settings\Raechelle\Application Data\Mozilla\Firefox\Profiles\x4ly34la.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.46:C:\Documents and Settings\Raechelle\Application Data\Mozilla\Firefox\Profiles\x4ly34la.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.47:C:\Documents and Settings\Raechelle\Application Data\Mozilla\Firefox\Profiles\x4ly34la.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.48:C:\Documents and Settings\Raechelle\Application Data\Mozilla\Firefox\Profiles\x4ly34la.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.56:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\87pnti8g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.57:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\87pnti8g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.58:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\87pnti8g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Program Files\Perfect Keylogger Lite\downloads.url -> Trojan.Keylog.154 : Ignored.
C:\Program Files\Perfect Keylogger Lite\i_bpk_lite.exe/Setup.exe -> Trojan.Perf.1.0.0 : Ignored.
C:\QooBox\Quarantine\C\WINNT\system32\wnsapisv32.exe.vir -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7A307FEF-E449-419F-B1DB-901B094692B4}\RP10\A0000669.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7A307FEF-E449-419F-B1DB-901B094692B4}\RP13\A0000946.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7A307FEF-E449-419F-B1DB-901B094692B4}\RP14\A0001013.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7A307FEF-E449-419F-B1DB-901B094692B4}\RP16\A0001106.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7A307FEF-E449-419F-B1DB-901B094692B4}\RP1\A0000211.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7A307FEF-E449-419F-B1DB-901B094692B4}\RP2\A0000323.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\Marvin\My Documents\MyMouseWebProg.exe -> Trojan.Zapchast : Cleaned with backup (quarantined).
E:\AIM\icbmft.ocm -> Worm.AimVen : Cleaned with backup (quarantined).


::Report end


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:05:54 PM, on 8/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
E:\Programs\AVG Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe
E:\Programs\WIDCOMM\Bluetooth Software\bin\btwdins.exe
e:\programs\power panel\upssrv.exe
E:\Symantec\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
e:\programs\power panel\upsio.exe
E:\Symantec\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\cryptainersrv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
E:\Symantec\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\system32\LVCOMSX.EXE
E:\Programs\AVG Anti-Spyware\AVG Anti-Spyware 7.5\avgas.exe
C:\WINNT\NCLAUNCH.EXe
E:\Programs\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\internet explorer\iexplore.exe
E:\Programs\Hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r2.attbi.com;;localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Programs\Spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: Merriam-Webster Online BHO - {5ADA9CAC-04F9-4DD2-ABFD-74D673BE8624} - C:\WINNT\_MWOLTB.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINNT\_MWOLTB.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINNT\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINNT\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [vptray] E:\Symantec\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "E:\Programs\AVG Anti-Spyware\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BPK] C:\Program Files\Perfect Keylogger Lite\bpk.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] E:\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [NCLaunch] C:\WINNT\NCLAUNCH.EXe
O4 - HKCU\..\Run: [NBJ] "E:\Program Files\ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ISMModule] "C:\Program Files\ISM\ISMModule.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINNT\_MWOLTB.DLL/23/219
O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINNT\_MWOLTB.DLL/23/220
O8 - Extra context menu item: Send To &Bluetooth - E:\Programs\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Programs\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Programs\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.m-w.com/downloads/toolbar/webinstall.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.kungfuchess.com/activex/web580.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1126895265483
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187590007031
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC064CA5-538C-44C8-BA47-53012A3880AE}: NameServer = 201.200.24.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C059D459-7622-4133-BEF7-61531CA8060F}: NameServer = 192.168.0.10,192.168.0.1
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - E:\Programs\AVG Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - E:\Programs\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: UPS Service (CyberPowerUPS) - Cyber Power System Inc. - e:\programs\power panel\upssrv.exe
O23 - Service: DefWatch - Symantec Corporation - E:\Symantec\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\Symantec\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix Software (India) Pvt. Ltd. - C:\WINNT\SYSTEM32\cryptainersrv.exe
O24 - Desktop Component 0: (no name) - http://www.geocities.com/SiliconValley/660...ion/batana1.gif

--
End of file - 8284 bytes

Phew I hope I'm doing this right :thumbsup:

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 25 August 2007 - 04:25 AM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O4 - HKCU\..\Run: [ISMModule] "C:\Program Files\ISM\ISMModule.exe"

Your log is clean :thumbsup:
If all's ok,please do the following.

Find and delete:
Combofix.exe
C:\VundoFix Backups
C:\Qoobox

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.


Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#7 Rayth

Rayth
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 25 August 2007 - 01:12 PM

Wow that was fast and easy man. You really gave me some peace of mind. Thank you so much for all the help. You guys are pretty damn cool.

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 25 August 2007 - 03:33 PM

You're most welcome :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users