Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista Os Battling Trojan.fructe To W32.trats Legions Galore!


  • Please log in to reply
12 replies to this topic

#1 yoroshiku2

yoroshiku2

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 28 January 2008 - 06:03 PM

Problems:

1. Originally had Trojan.Fructa pop-ups (now gone)
2. W32.Trats Infection (repeatedly shows up in Norton as blocked)
3. Missing efecy.dll & efdd.exe files
4. Cant delete BoCore.exe file (Comodo)
Files removed by BoClean:
C/Windows/Ehome/EHTpay.exe
C/Windows/Ehome/EHMSAS.exe
C/Windows/System32/MSFeedssync.exe
5. Ntuser.dat.Log1 & Ntuser.dat.Log2 appeared in C/Users/Erin
6. “A runtime error has occurred. Do you wish to Debug? Line: 162 Error: the download of the specified resource has failed.” Press Ok. Unable to debug.

Things Ive done:

1. Contacted Norton, but they wont help unless I fork over a months salary. (Im a Peace Corps volunteer in Moldova. Willing to donate if I can get it fixed!!)
2. Tried to follow advice from previous forums and websites to no avail. Especially since Vista isnt compatible with Spybot Search & Destroy or AVG Antivirus or AVG Rootkit freeware.
3. Ive tried other freewares such as Comodo, AutoRuns, SD Fix, BoClean, File Recovery for Windows, Wise Disk & Registry Cleaner, Registry Mechanic, Ad-Aware 2007, Seagate File Recovery, etc. Hopefully I didn't do too much damage in the process! :thumbsup:

After much wasted time, as the problems still persist, Im hoping for your help and expertise! Ive learned my lesson with shareware, and after this dont plan to use it. Could I also have been infected from flashdrives? Thank you for helping me!

Hijack Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:37 PM, on 1/28/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_SL.exe
C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F3 - REG:win.ini: load=C:\Users\Erin\AppData\Local\Temp\efcdd.exe
F3 - REG:win.ini: run=
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Erin\AppData\Local\Temp\efecy.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Erin\AppData\Local\Temp\efcdd.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: OneNote Table Of Contents.onetoc2
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11956 bytes

Ad-Aware 2007 Scan results:

Ad-Aware 2007 Build
Log File Created on: 2008-01-28 20:37:03
Using Definitions File: C:\ProgramData\Lavasoft\Ad-Aware 2007\core.aawdef
Computer name: HP-PC
Name of user performing scan: SYSTEM

System information
===========================
Number of processors: 2
Processor type: AMD Turion™ 64 X2
Memory Available: 35%
Total Physical Memory: 1004601344 Bytes
Available Physical Memory: 349294592 Bytes
Total Page File Size: 2274590720 Bytes
Available On Page File: 984735744 Bytes
Total Virtual Memory: 2147352576 Bytes
Available Virtual Memory: 1962225664 Bytes
OS: Microsoft Windows Vista (Build 6000)

Ad-Aware 2007 Settings
===========================
Skipping files larger than 1048576 kB
Ignoring infections with lower TAI than: 3


Extended Ad-Aware 2007 Settings
===========================
Unloading known modules during scan
Ignoring spanned files when scanning cab archives
Reanalyzing results after scanning before displaying results
Trying to unload modules prior to removal
Let Windows remove files currently in use at next reboot
Removing quarantined objects after restore
Deactivating Ad-Watch during scans
Writeprotecting system files after repairs
Include info about ignored objects in log file
Including basic settings in log file
Including advanced settings in log file
Including user and computer name in log file
Create and save WebUpdate log file

Databaseinfo
===========================
Version number: 45
Build Number: 0
Build Date and Time: 2008/01/21 10:30:02

Scan Statistics
===========================
Method: Full
Scan tracking cookies.............................: On
Scan ADS filestreams..............................: Off

Item Scanned: 343392
Infections Detected: 208
Infections Ignored: 0

Scan detailed statistics
===========================
Type Critical Total
Process Scan....: 0 0
Registry Scan...: 0 0
Registry PE Scan: 0 0
Hosts File Scan.: 0 0
File Scan.......: 0 0
Folder Scan.....: 0 0
LSP Scan........: 0 0
ADS Scan........: 0 0
Cookie Scan.....: 208 208
File Hash Scan..: 0 0

Infections Found
===========================
Family Id: 725 Name: Tracking Cookie Category: DataMiner TAI:3
Item Id: 600000112 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat live365.com SaneID /
Item Id: 600000179 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat atdmt.com AA002 /
Item Id: 600000093 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat ads.pointroll.com PRID /
Item Id: 600000093 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat ads.pointroll.com PRimp /
Item Id: 600000093 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat ads.pointroll.com PRca /
Item Id: 600000093 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat ads.pointroll.com PRcp /
Item Id: 600000093 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat ads.pointroll.com PRpl /
Item Id: 600000093 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat ads.pointroll.com PRcr /
Item Id: 600000093 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat ads.pointroll.com PRpc /
Item Id: 600000201 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat media.adrevolver.com BIGipServerar-slave /
Item Id: 600000201 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat adrevolver.com prefs /
Item Id: 600000460 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat ad.yieldmanager.com uid /
Item Id: 600000460 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat ad.yieldmanager.com vuday1 /
Item Id: 600000460 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat ad.yieldmanager.com fl_inst /
Item Id: 600000460 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat ad.yieldmanager.com ih /
Item Id: 600000126 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat ehg-space.hitbox.com DM540820MHADV6 /
Item Id: 600000126 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat hitbox.com CTG /
Item Id: 600000126 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat hitbox.com WSS_GW /
Item Id: 600000415 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat revsci.net NETID01 /
Item Id: 600000415 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat revsci.net NETSEGS_K05540 /
Item Id: 600000415 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat revsci.net rsi_cls_1000000 /
Item Id: 600000415 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat revsci.net rsi_segs_1000000 /
Item Id: 600000190 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat www.googleadservices.com Conversion /pagead/conversion/1065565904/
Item Id: 600000144 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat doubleclick.net test_cookie /
Item Id: 600000068 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat statse.webtrendslive.com ACOOKIE /
Item Id: 600000409 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat server.iad.liveperson.net HumanClickID /
Item Id: 600000409 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat server.iad.liveperson.net HumanClickACTIVE /
Item Id: 600000144 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat doubleclick.net id /
Item Id: 600000201 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat adrevolver.com prefs /
Item Id: 600000201 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat adrevolver.com adrev_adpath /
Item Id: 600000201 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat adrevolver.com adrev_dgp /
Item Id: 600000263 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat mediaplex.com svid /
Item Id: 600000179 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat atdmt.com AA002 /
Item Id: 600000372 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat ads.bridgetrack.com BTA /
Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat msnportal.112.2o7.net s_vi /
Item Id: 600000142 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat estat.com e /
Item Id: 600000225 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat weborama.fr AFFICHE_W /
Item Id: 600000225 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat weborama.fr aimfarcapping /
Item Id: 600000225 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat weborama.fr wous /
Item Id: 600000001 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat adserver.easyad.info JEB2 /
Item Id: 600000506 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat boldchat.com bc-visitor-id-863367694575571208 /
Item Id: 600000292 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat ad8.bannerbank.ru bb_tmp /
Item Id: 600000292 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat ad8.bannerbank.ru bb_uid /
Item Id: 600000083 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat 247realmedia.com RMID /
Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat metacafe.122.2o7.net s_vi /
Item Id: 600000513 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat 3.adbrite.com ihc_52286 /
Item Id: 600000073 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat specificclick.net dmc /
Item Id: 600000073 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat specificclick.net dmk /
Item Id: 600000073 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat specificclick.net smc /
Item Id: 600000073 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat specificclick.net smk /
Item Id: 600000073 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat specificclick.net dmp /
Item Id: 600000073 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat specificclick.net smx /
Item Id: 600000661 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat kontera.com cluid /
Item Id: 600000661 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat kontera.com imprs /
Item Id: 600000661 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat kontera.com limps /
Item Id: 600000269 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat hotlog.ru ID /
Item Id: 600000513 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat ads.adbrite.com ihc_518133 /
Item Id: 600000513 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat ads.adbrite.com ihc_155982 /
Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat macromedia.112.2o7.net s_vi /
Item Id: 600000084 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat rambler.ru ruid /
Item Id: 600000084 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat rambler.ru rup /
Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat laptopmag.122.2o7.net s_vi /
Item Id: 600000126 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat ehg-bestbuy.hitbox.com WSS_MIGRATION /
Item Id: 600000126 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat ehg-bestbuy.hitbox.com DM530814LKBCV6 /
Item Id: 600000282 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat data.coremetrics.com CoreID6 /
Item Id: 600000234 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat tradedoubler.com TD_PIC /
Item Id: 600000234 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat tradedoubler.com TD_UNIQUE_IMP /
Item Id: 600000400 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat tacoda.net TID /
Item Id: 600000400 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat tacoda.net ANRTT /
Item Id: 600000400 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat tacoda.net TData /
Item Id: 600000400 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat tacoda.net Tcc /
Item Id: 600000138 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat fastclick.net zru /
Item Id: 600000138 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat fastclick.net rt /
Item Id: 600000095 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat perf.overture.com SYSTEM_USER_ID /
Item Id: 600000083 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat realmedia.com RMID /
Item Id: 600000083 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat realmedia.com RMFL /
Item Id: 600000083 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat realmedia.com NXCLICK2 /
Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat insightexpressai.com IXAIBanners841 /
Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat insightexpressai.com IXAIBannerCounter24136 /
Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat insightexpressai.com IXAIFirstHit841 /
Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat insightexpressai.com IXAILastHit841 /
Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat insightexpressai.com IXAICampaignCounter841 /
Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat insightexpressai.com IXAICampaignCounter908 /
Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat insightexpressai.com IXAIControlCounter908 /
Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat insightexpressai.com IXAIBannerCounter26268 /
Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat insightexpressai.com IXAIBanners908 /
Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat insightexpressai.com IXAIBanners919 /
Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat insightexpressai.com lastInviteTime /
Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat insightexpressai.com IXAIinvited919 /
Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat insightexpressai.com IXAIBannerCounter26474 /
Item Id: 600000555 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat insightexpressai.com IXAIControlCounter919 /
Item Id: 600000513 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat adbrite.com Apache /
Item Id: 600000513 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat adbrite.com b /
Item Id: 600000513 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat adbrite.com fq /
Item Id: 600000413 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat rotator.adjuggler.com optin /
Item Id: 600000413 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat rotator.adjuggler.com ajess1_566AE5592CF55276E461F5F9 /
Item Id: 600000413 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat rotator.adjuggler.com ajcmp /
Item Id: 600000663 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat digitalpoint.com an /
Item Id: 600000415 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat ads.revsci.net rsi_us_1000000 /adserver
Item Id: 600000145 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat landing.domainsponsor.com ident /
Item Id: 600000145 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat landing.domainsponsor.com antivirusdirectory.com /
Item Id: 600000145 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat landing.domainsponsor.com Spusr /
Item Id: 600000449 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat adultfriendfinder.com ffadult_tr /
Item Id: 600000449 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat adultfriendfinder.com HISTORY /
Item Id: 600000416 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat revenue.net Train0 /
Item Id: 600000093 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat ads.pointroll.com PRID /
Item Id: 600000093 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat ads.pointroll.com PRimp /
Item Id: 600000093 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat ads.pointroll.com PRpb /
Item Id: 600000093 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat ads.pointroll.com PRaf /
Item Id: 600000093 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat ads.pointroll.com PRca /
Item Id: 600000093 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat ads.pointroll.com PRcp /
Item Id: 600000093 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat ads.pointroll.com PRpl /
Item Id: 600000093 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat ads.pointroll.com PRcr /
Item Id: 600000093 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat ads.pointroll.com PRpc /
Item Id: 600000093 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat ads.pointroll.com PRev1592.22083 /
Item Id: 600000101 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat overture.com CMUserData /
Item Id: 600000101 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat overture.com SessionData /
Item Id: 600000101 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat overture.com ConvData /
Item Id: 600000101 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat overture.com UserData /
Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat 2o7.net s_vi_cazex7Fehxxix7Fxxx3D /
Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat 2o7.net s_vi_x7Dmx7Cgx7Ex7Ex7Dhaajx60kz /
Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat 2o7.net s_vi_brcxxaabctrxxatkppc /
Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat 2o7.net s_vi_jtiedhj /
Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat 2o7.net s_vi_ix7Bx7Fnx7Eiaix7Exxcb /
Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat 2o7.net s_vi_eolaax7Dkx3Cibalob /
Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat 2o7.net s_vi_x7Cvuxxxxdrx25px7Bxxuvx7Btxxzzbyx7Ecn /
Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat 2o7.net s_vi_eolaax7Dkx3Cx7Efazax7D /
Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat 2o7.net s_vi_yspx7Dx7Dawpgppx7Ewazsx60w /
Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat 2o7.net s_vi_zox60baibx7Blhuyc /
Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat 2o7.net s_vi_x7Cilgdijgnsx7F /
Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat 2o7.net s_vi_ox7Bakdmx7Ea /
Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat 2o7.net s_vi_snjbdhj /
Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat 2o7.net s_vi_sudx7Bxxpzubmdfx7Bpawx60x7Dx7Bz /
Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat 2o7.net s_vi_wqx60wytx60bx7Ftesdyx7Fx7E /
Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat 2o7.net s_vi_ewafwx60x7Cgx7Cx7Bx7Dx7Cux7Ex7Dpsx7E /
Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat 2o7.net s_vi_dvx60gvax7Dfx7Dzx7Cx7Dcx7Cagrx7Fx21 /
Item Id: 600000212 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat 2o7.net s_vi_ftbetcx7Fdx7Fxxx7Ex7Fx7Cdx7Dexx /
Item Id: 600000052 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat trafficmp.com rth /
Item Id: 600000000 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat zedo.com geo /
Item Id: 600000000 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat zedo.com ZEDOIDX /
Item Id: 600000000 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat zedo.com ZEDOIDA /
Item Id: 600000000 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat zedo.com FFChanCap /
Item Id: 600000000 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat zedo.com FFbh /
Item Id: 600000085 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat questionmarket.com ES /
Item Id: 600000085 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat questionmarket.com CS1 /
Item Id: 600000159 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat clickbank.net p /
Item Id: 600000187 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat advertising.com ACID /
Item Id: 600000187 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat advertising.com F1 /
Item Id: 600000187 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat advertising.com BASE /
Item Id: 600000187 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat advertising.com C2 /
Item Id: 600000415 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat revsci.net NETID01 /
Item Id: 600000415 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat revsci.net NETSEGS_E05516 /
Item Id: 600000415 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat revsci.net NETSEGS_K05540 /
Item Id: 600000415 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat revsci.net NETSEGS_J05531 /
Item Id: 600000415 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat revsci.net rsi_cls_1000000 /
Item Id: 600000415 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat revsci.net rsi_segs_1000000 /
Item Id: 600000415 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat revsci.net 01AI /
Item Id: 600000126 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat ehg-techtarget.hitbox.com DM540506G4DEV6 /
Item Id: 600000126 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat hitbox.com CTG /
Item Id: 600000126 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat hitbox.com WSS_GW /
Item Id: 600000476 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat statcounter.com session_642571 /
Item Id: 600000476 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat statcounter.com session_492462 /
Item Id: 600000476 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat statcounter.com session_1441333 /
Item Id: 600000476 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat statcounter.com session_1454330 /
Item Id: 600000476 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat statcounter.com session_2442020 /
Item Id: 600000476 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat statcounter.com session_588946 /
Item Id: 600000476 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat statcounter.com session_989917 /
Item Id: 600000476 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat statcounter.com session_1179999 /
Item Id: 600000476 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat statcounter.com session_2262088 /
Item Id: 600000050 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat tribalfusion.com ANON_ID /
Item Id: 600000050 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat tribalfusion.com TfCtxtAdServer /
Item Id: 600000050 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat tribalfusion.com TfAdCountMap /
Item Id: 600000050 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat tribalfusion.com TfAdCountDate /
Item Id: 600000434 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat casalemedia.com CMID /
Item Id: 600000434 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat casalemedia.com CMPS /
Item Id: 600000434 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat casalemedia.com CMPP /
Item Id: 600000434 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat casalemedia.com CMPH /
Item Id: 600000434 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat casalemedia.com CMFP /
Item Id: 600000112 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\Cookies\index.dat live365.com SaneID /
Item Id: 600000179 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\Cookies\index.dat atdmt.com AA002 /
Item Id: 600000093 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\Cookies\index.dat ads.pointroll.com PRID /
Item Id: 600000093 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\Cookies\index.dat ads.pointroll.com PRimp /
Item Id: 600000093 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\Cookies\index.dat ads.pointroll.com PRca /
Item Id: 600000093 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\Cookies\index.dat ads.pointroll.com PRcp /
Item Id: 600000093 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\Cookies\index.dat ads.pointroll.com PRpl /
Item Id: 600000093 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\Cookies\index.dat ads.pointroll.com PRcr /
Item Id: 600000093 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\Cookies\index.dat ads.pointroll.com PRpc /
Item Id: 600000201 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\Cookies\index.dat media.adrevolver.com BIGipServerar-slave /
Item Id: 600000201 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\Cookies\index.dat adrevolver.com prefs /
Item Id: 600000460 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\Cookies\index.dat ad.yieldmanager.com uid /
Item Id: 600000460 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\Cookies\index.dat ad.yieldmanager.com vuday1 /
Item Id: 600000460 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\Cookies\index.dat ad.yieldmanager.com fl_inst /
Item Id: 600000460 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\Cookies\index.dat ad.yieldmanager.com ih /
Item Id: 600000126 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\Cookies\index.dat ehg-space.hitbox.com DM540820MHADV6 /
Item Id: 600000126 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\Cookies\index.dat hitbox.com CTG /
Item Id: 600000126 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\Cookies\index.dat hitbox.com WSS_GW /
Item Id: 600000415 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\Cookies\index.dat revsci.net NETID01 /
Item Id: 600000415 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\Cookies\index.dat revsci.net NETSEGS_K05540 /
Item Id: 600000415 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\Cookies\index.dat revsci.net rsi_cls_1000000 /
Item Id: 600000415 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\Cookies\index.dat revsci.net rsi_segs_1000000 /
Item Id: 600000190 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\Cookies\index.dat www.googleadservices.com Conversion /pagead/conversion/1065565904/
Item Id: 600000144 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\Cookies\index.dat doubleclick.net test_cookie /
Item Id: 600000068 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\Cookies\index.dat statse.webtrendslive.com ACOOKIE /
Item Id: 600000409 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\Cookies\index.dat server.iad.liveperson.net HumanClickID /
Item Id: 600000409 Value: Browser: Internet Explorer Cookie: C:\Users\Erin\Cookies\index.dat server.iad.liveperson.net HumanClickACTIVE /
Item Id: 600000144 Value: Browser: Internet Explorer Cookie: C:\Users\Guest\Cookies\index.dat doubleclick.net test_cookie /
Item Id: 600000085 Value: Browser: Internet Explorer Cookie: C:\Users\Guest\Cookies\index.dat questionmarket.com BS1 /
Item Id: 600000085 Value: Browser: Internet Explorer Cookie: C:\Users\Guest\Cookies\index.dat questionmarket.com ES /

Items Ignored During Scan
===========================


Cleaned Infections
===========================
Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat live365.com SaneID /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat atdmt.com AA002 /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat adrevolver.com prefs /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat ehg-space.hitbox.com DM540820MHADV6 /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat hitbox.com CTG /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat hitbox.com WSS_GW /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat revsci.net NETID01 /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat revsci.net NETSEGS_K05540 /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat revsci.net rsi_cls_1000000 /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat revsci.net rsi_segs_1000000 /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat www.googleadservices.com Conversion /pagead/conversion/1065565904/, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat doubleclick.net id /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat msnportal.112.2o7.net s_vi /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat adserver.easyad.info JEB2 /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat 247realmedia.com RMID /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat 3.adbrite.com ihc_52286 /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat specificclick.net dmc /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat specificclick.net dmk /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat specificclick.net smc /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat specificclick.net smk /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat specificclick.net dmp /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat specificclick.net smx /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat ads.adbrite.com ihc_518133 /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat ads.adbrite.com ihc_155982 /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat rambler.ru ruid /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Cookies\Low\\index.dat rambler.ru rup /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Users\Guest\Cookies\index.dat doubleclick.net test_cookie /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Users\Guest\Cookies\index.dat questionmarket.com BS1 /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Users\Guest\Cookies\index.dat questionmarket.com ES /, Belonging to Tracking Cookie

End of Cleaned Infections
===========================

Your knowledge and assistance is GREATLY appreciated!

Edited by yoroshiku2, 28 January 2008 - 06:08 PM.


BC AdBot (Login to Remove)

 


#2 yoroshiku2

yoroshiku2
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 31 January 2008 - 11:15 AM

NEW Problems as of Jan. 31st:

1) Errors Loading: C/Users/Erin/AppData/Local/Temp/msheogjg.dll

2) Errors Loading: C/Users/Erin/AppData/Local/Temp/qopom.dll
"The specified modules could not be found"

3) Difficulty connecting to internet even though my computer says I'm connected to server. I can connect only one time per reboot. Strange!

4) Norton AntiVirus now as problems downloading "Protection updates" & "Spyware definitions".

5) Ulead Video Error pop-ups. An internal error has occurred. (Error code=%s) [15033:0:1] - I want to completely get rid of this trial software.

6) Pop-up: The security information is invalid or has been modified. This program will be terminated. (Nothing happens-that I know of-when pressing OK button)

Please advise! Thank you!

#3 yoroshiku2

yoroshiku2
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 04 February 2008 - 07:28 AM

More problems in addition to those mentioned previously!!!! The following have come to my attention in the last week since posting my original SOS email.

1) Norton Anti-Virus has been hijacked & I cannot delete downloaded files (as I do not have permission to access those files) that have changed its settings. I can no longer update Antivirus LiveUpdate or Spyware settings.

In Norton's log the following have been detected on my computer, but not permanently removed as they repeatedly come up. :thumbsup:

W32.Trats
Trojan.Metajuan
Trojan.Wimad
Trojan.Horse
Downloader
Trojan.Vundo
J.S. Exception.Exploit
W.32 Fakerey
W.32 Sality.x
W.32 Silly!gen
W.32 Rontokbro.k@mm
W.32 Rajump
qttask.exe made 50 modifications to windows start-up (detected)
regt.cfexe modified internet explorer settings
-iu14d2n.tmp modified windows startup settings
prevxcsi blocked from accessing network resources
is-7h14a.tmp made 2 modifications to windows startup
HSloader was allowed to access your network resources
vlc-0.8.6d-win32.exe made 4 modifications to Windows start up
hpasset.exe behaved suspiciously
hpdiags.exe made 2 modifications to windows start-up

- new error message: c/users/erin/AppData/LocalTemp/qufbpljv.dll not able to run on start-up. Missing file.

- my tool bar and icons all frequently dissapear now!!

Help!!!!!!!!!!!!!!!!!!!! I'm afraid to delete any files, since so many registry files seem to be missing already. Is their anything I can do to fix my computer?

Here is my updated HijackThis file as of today 2/04/08


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:33 AM, on 2/4/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_SL.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\Explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F3 - REG:win.ini: load=C:\Users\Erin\AppData\Local\Temp\efcdd.exe
F3 - REG:win.ini: run=
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Erin\AppData\Local\Temp\qopom.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Erin\AppData\Local\Temp\efcdd.dll,c
O4 - HKCU\..\Run: [5f01eab1] rundll32.exe "C:\Users\Erin\AppData\Local\Temp\kqopqipb.dll",b
O4 - HKCU\..\Run: [MS Juan] rundll32 "C:\Users\Erin\AppData\Local\Temp\qufbpljv.dll",run
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: OneNote Table Of Contents.onetoc2
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12817 bytes

#4 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 05 February 2008 - 04:32 AM

Hi,

sorry for the delay. My name is Rosty and I'm going to help you with your log.

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Posted Image
Proud member of ASAP since 2007

#5 yoroshiku2

yoroshiku2
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 05 February 2008 - 01:38 PM

Thanks for contacting me Rosty! I was about to completely reload Windows/Office. My name is Erin, and I am incredibly happy to hear from you!

Here's the ComboFix.exe log:

ComboFix 08-02.05.3 - Erin 2008-02-05 19:05:05.1 - NTFSx86
Microsoft Windows Vista Home Premium 6.0.6000.0.1252.1.1033.18.250 [GMT 2:00]
Running from: C:\Users\Erin\Downloads\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://www.downj+|C̛v+@J:NGD_DQ{zZOmO̢K$@@7[5@DownloadPackageAttachmentTask: 26a5c38d97dc4c53be141a872882e5b9 S-1-5-20 @x`l@\???? 6VwoQZCDHMJC:\ProgramData\Microsoft\eHome\Packages\SportsSchedule\SportsSchedule.enc{
.
((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.

2008-02-04 18:39 . 2008-02-04 18:39 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-28 21:52 . 2008-01-28 21:53 <DIR> d-------- C:\Program Files\FILE RECOVERY for Windows
2008-01-28 21:12 . 2008-01-28 21:37 <DIR> d-------- C:\Program Files\Wise Disk Cleaner
2008-01-28 21:03 . 2008-01-28 21:22 <DIR> d-------- C:\Program Files\Wise Registry Cleaner
2008-01-28 18:37 . 2008-01-28 18:39 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-01-28 18:37 . 2008-01-28 18:39 <DIR> d-------- C:\ProgramData\Lavasoft
2008-01-28 18:37 . 2008-01-28 18:37 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-28 18:35 . 2008-01-28 18:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-28 17:58 . 2008-01-28 17:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-28 11:17 . 2008-01-28 11:22 <DIR> d-------- C:\Users\Erin\AppData\Roaming\PrevxCSI
2008-01-28 11:17 . 2008-01-28 11:17 <DIR> d-------- C:\Users\All Users\Prevx
2008-01-28 11:17 . 2008-01-28 11:17 <DIR> d-------- C:\ProgramData\Prevx
2008-01-28 10:38 . 2008-02-04 20:07 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-01-28 10:38 . 2008-02-04 20:07 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-01-27 23:33 . 2008-01-27 23:33 <DIR> d-------- C:\Users\Erin\AppData\Roaming\Uniblue
2008-01-27 23:24 . 2008-01-28 21:36 <DIR> d-------- C:\Users\All Users\BOC425
2008-01-27 23:24 . 2008-01-28 21:36 <DIR> d-------- C:\ProgramData\BOC425
2008-01-27 23:24 . 2007-11-26 10:38 238,848 --a------ C:\Windows\UNBOC.EXE
2008-01-27 23:24 . 2007-05-08 17:01 208,896 --a------ C:\Windows\CMDLIC.DLL
2008-01-27 23:24 . 2006-11-02 11:46 14,848 --a------ C:\Windows\System32\wsock32.dlb
2008-01-27 23:23 . 2008-01-28 14:22 <DIR> d-------- C:\Program Files\Comodo
2008-01-27 23:23 . 2008-01-27 23:25 377 --a------ C:\Windows\BOC425.INI
2008-01-27 22:18 . 2004-08-04 08:00 506,368 --a------ C:\Windows\System32\msxml.dll
2008-01-25 11:41 . 2007-01-18 14:00 3,968 --a------ C:\Windows\System32\drivers\AvgArCln.sys
2008-01-21 19:39 . 2008-01-21 19:39 <DIR> d-------- C:\Users\All Users\NCH Software
2008-01-21 19:39 . 2008-01-21 19:39 <DIR> d-------- C:\ProgramData\NCH Software
2008-01-15 09:30 . 2008-01-15 09:31 <DIR> d-------- C:\Program Files\QuickTime
2008-01-15 09:15 . 2008-01-15 09:15 <DIR> d-------- C:\Users\Erin\AppData\Roaming\MPEG Streamclip
2008-01-10 03:06 . 2008-01-10 03:06 802,816 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-01-10 03:06 . 2008-01-10 03:06 216,760 --a------ C:\Windows\System32\drivers\netio.sys
2008-01-10 03:06 . 2008-01-10 03:06 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-01-10 03:06 . 2008-01-10 03:06 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-01-10 03:06 . 2008-01-10 03:06 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-01-10 03:03 . 2008-01-10 03:03 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-10 03:03 . 2008-01-10 03:03 1,686,016 --a------ C:\Windows\System32\gameux.dll
2008-01-10 03:03 . 2008-01-10 03:03 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-01-10 03:03 . 2008-01-10 03:03 211,000 --a------ C:\Windows\System32\drivers\volsnap.sys
2008-01-10 03:03 . 2008-01-10 03:03 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-01-10 03:03 . 2008-01-10 03:03 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-01-10 03:03 . 2008-01-10 03:03 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-01-10 03:03 . 2008-01-10 03:03 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-01-10 03:03 . 2008-01-10 03:03 15,928 --a------ C:\Windows\System32\drivers\pciide.sys
2008-01-10 03:02 . 2008-01-10 03:02 11,776 --a------ C:\Windows\System32\sbunattend.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 21:41 --------- d-----w C:\Users\Erin\AppData\Roaming\uTorrent
2008-02-05 21:41 --------- d-----w C:\ProgramData\Ulead Systems
2008-02-05 21:41 --------- d-----w C:\Program Files\uTorrent
2008-02-05 17:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-05 17:00 --------- d-----w C:\Users\Erin\AppData\Roaming\Skype
2008-02-05 11:45 42,174 ----a-w C:\Users\Erin\AppData\Roaming\nvModes.dat
2008-02-05 11:24 --------- d-----w C:\ProgramData\Roxio
2008-02-01 07:15 --------- d-----w C:\ProgramData\Symantec
2008-01-28 12:22 --------- d-----w C:\Program Files\Ulead Systems
2008-01-27 21:45 --------- d-----w C:\ProgramData\Microsoft Help
2008-01-17 08:26 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-15 07:54 10,537 ----a-w C:\Windows\system32\drivers\coh_mon.cat
2008-01-15 03:28 706 ----a-w C:\Windows\system32\drivers\COH_Mon.inf
2008-01-12 16:32 23,904 ----a-w C:\Windows\system32\drivers\COH_Mon.sys
2008-01-10 01:15 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-10 01:15 --------- d-----w C:\Program Files\Windows Mail
2008-01-10 01:03 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-10 01:03 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-10 01:03 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-10 01:03 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2007-12-31 21:52 --------- d-----w C:\Users\Erin\AppData\Roaming\LimeWire
2007-12-25 09:30 --------- d-----w C:\Program Files\Norton Internet Security
2007-12-25 07:04 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
2007-12-25 07:04 123,952 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS
2007-12-25 07:04 10,740 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
2007-12-25 07:04 --------- d-----w C:\Program Files\Symantec
2007-12-21 17:25 --------- d-----w C:\Users\Erin\AppData\Roaming\Symantec
2007-12-16 15:34 --------- d-----w C:\Program Files\Flickr Uploadr
2007-12-15 01:32 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-15 01:31 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-15 01:31 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-15 01:30 824,832 ----a-w C:\Windows\System32\wininet.dll
2007-12-15 01:30 56,320 ----a-w C:\Windows\System32\iesetup.dll
2007-12-15 01:30 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-12-15 01:30 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-12-15 01:29 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2007-12-15 01:29 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2007-12-15 01:29 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2007-12-15 01:29 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2007-12-15 01:26 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-12-15 01:26 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe
2007-12-14 09:32 12,632 ----a-w C:\Windows\System32\lsdelete.exe
2007-12-11 17:04 --------- d-----w C:\ProgramData\Yahoo! Companion
2007-12-11 17:03 --------- d-----w C:\Users\Erin\AppData\Roaming\Yahoo!
2007-12-09 13:07 --------- d-----w C:\Program Files\Apple Software Update
2007-12-09 12:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-09 12:28 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-06 06:31 --------- d-----w C:\Program Files\Google
2007-12-05 19:21 --------- d-----w C:\Users\Erin\AppData\Roaming\Yahoo! Companion
2007-12-04 16:26 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2007-12-04 16:26 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2007-12-04 16:26 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2007-12-04 16:25 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2007-12-04 16:25 542,720 ----a-w C:\Windows\System32\sysmain.dll
2007-12-04 16:25 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2007-12-04 16:25 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2007-12-04 16:25 297,984 ----a-w C:\Windows\System32\wlansec.dll
2007-12-04 16:25 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2007-12-04 16:25 2,923,520 ----a-w C:\Windows\explorer.exe
2007-12-04 16:10 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2007-12-04 16:09 7,680 ----a-w C:\Windows\System32\spwmp.dll
2007-12-04 16:09 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2007-12-04 16:09 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
2007-12-04 15:53 84,480 ----a-w C:\Windows\System32\INETRES.dll
2007-12-04 15:53 788,992 ----a-w C:\Windows\System32\rpcrt4.dll
2007-12-04 15:53 737,792 ----a-w C:\Windows\System32\inetcomm.dll
2007-12-04 15:53 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2007-11-06 11:36 29,952 ----a-w C:\Windows\Help\OEM\scripts\HPScript.exe
2007-08-30 10:17 174 --sha-w C:\Program Files\desktop.ini
2007-06-07 02:39 8 ----a-w C:\Users\Erin\AppData\Roaming\usb.dat.bin
2007-04-21 05:41 0 ----a-w C:\Users\Erin\AppData\Roaming\wklnhst.dat
2007-02-26 19:29 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-02-26 19:29 32,768 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-02-26 19:29 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
Files Infected - Win32.Agent.zb
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-25 05:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-12-21 19:20 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-25 05:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 03:02 1232896]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 14:35 125440]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-02-06 00:35 25370152]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 19:49 4670968]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 14:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-04-11 19:32 1006264]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 08:02 815104]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 20:58 159744]
"HP Health Check Scheduler"="[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [ ]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 19:56 317152]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 19:32 472800]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-01-14 13:31 77824]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-11-22 00:09 842584]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-01-14 07:40 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-01-14 07:40 7766016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-01-14 07:40 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"UVS11 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 23:12 341488]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 16:29 67752]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-08-25 07:07 51048]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-11-25 01:33 167936]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [ ]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-04-25 17:44 35328]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 18:18 270648]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]

C:\Users\Erin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 04:45:42 101784]
OneNote Table Of Contents.onetoc2 [2007-02-10 06:25:45 3656]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
HP Connections.lnk - C:\Program Files\HP Connections\6811507\Program\HP Connections.exe [2007-01-14 13:09:50 34520]

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20080123.001\IDSvix86.sys [2007-11-06 18:07]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" [2007-08-25 07:07]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 19:39]
R3 COH_Mon;COH_Mon;C:\Windows\system32\Drivers\COH_Mon.sys [2008-01-12 18:32]
R3 nvsmu;nvsmu;C:\Windows\system32\DRIVERS\nvsmu.sys [2006-09-15 10:44]
R3 SymIMMP;SymIMMP;C:\Windows\system32\DRIVERS\SymIM.sys [2007-08-10 02:27]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-08-13 22:50]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2007-01-03 21:43]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\Windows\system32\DRIVERS\SymIM.sys [2007-08-10 02:27]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1bee78da-04a9-11dc-b702-0016d31b5ee4}]
\shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f4276684-5d5c-11dc-818b-0016d31b5ee4}]
\shell\AutoRun\command - F:\LapNetWizard.exe

*Newly Created Service* - COMHOST
*Newly Created Service* - ERASERUTILDRV10741
.
Contents of the 'Scheduled Tasks' folder
"2008-01-28 19:41:46 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Erin.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeB/TASK:
"2008-02-05 17:10:16 C:\Windows\Tasks\User_Feed_Synchronization-{AE9BA4C4-10E7-49FE-A207-10A2041F54F0}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 19:11:47
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-05 19:12:55
ComboFix-quarantined-files.txt 2008-02-05 17:12:51
.
2008-01-10 01:06:57 --- E O F ---

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:29:50 PM, on 2/5/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\sdclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: OneNote Table Of Contents.onetoc2
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11829 bytes

#6 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 05 February 2008 - 03:58 PM

Hi,

can you tell me what problems you still have?
Posted Image
Proud member of ASAP since 2007

#7 yoroshiku2

yoroshiku2
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 06 February 2008 - 04:14 AM

Rosty,

Did ComboFix.exe really just fix my machine? I no longer have error messages pop-up, and my machine is working much faster. :thumbsup:

The only problems (or remnants of the chaos of the last few weeks) I can find are:
1) There are still 2 files in my user folder that appeared when all the craziness began: ntuser.dat.LOG1 & ntuser.dat.LOG2 .
2) Norton Anti-Virus' Live Update still does not download updates. I found a way to do it manually online, but it would be nice to undo what the viruses did - if possible.

** Also, if these problems persist again, should I run ComboFix.exe??

Do you recommend any other protective software programs for Vista OS other than Norton AntiVirus (or instead of Norton)? Freeware ideally.

Thanks for your advice, and help!
Erin

#8 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 06 February 2008 - 01:23 PM

Rosty,

Did ComboFix.exe really just fix my machine? I no longer have error messages pop-up, and my machine is working much faster. :thumbsup:

Yes it did, but Combofix is not for use without knowldge!!

The only problems (or remnants of the chaos of the last few weeks) I can find are:

1) There are still 2 files in my user folder that appeared when all the craziness began: ntuser.dat.LOG1 & ntuser.dat.LOG2 .

Search for those using windows explorer and try to delete them!!

2) Norton Anti-Virus' Live Update still does not download updates. I found a way to do it manually online, but it would be nice to undo what the viruses did - if possible.

Well, thats one of the reasons why I have removed Norton from my system. And the second is that Norton really slows down my system!!

** Also, if these problems persist again, should I run ComboFix.exe??

No, you may not!! Combofix is updated every day and its possible there are bugs in it!!

Do you recommend any other protective software programs for Vista OS other than Norton AntiVirus (or instead of Norton)? Freeware ideally.

I'm using Avast, its good, it don't slows down your system and its FREEWARE.
Here you find more free AV's: http://users.telenet.be/bluepatchy/miekiem...irus%20Scanners

Thanks for your advice, and help!
Erin


You're welcome.

Please remove Combofix in this way:

Click Start >> Run, and then type ComboFix /u and hit enter.
Posted Image
Proud member of ASAP since 2007

#9 yoroshiku2

yoroshiku2
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 06 February 2008 - 02:22 PM

Hi Rosty,

I deleted ComboFix as you suggested.

1) Unfortunately, I can't delete either of the ntaser files. It says they are "currently open in other programs".

2) Also for some reason I can't reconnect to the internet after finishing a session, closing windows explorer, and later doubleclicking on the Internet Explorer icon to restart an internet session.

When it doesn't connect to my host server (where I'm suppose to log-in) I have to restart my computer to get to my host's website --- even though my computer says it's connected to the network in the lower right hand corner icon.

This only happened since my computer was infected... is it just a remnant of what the viruses left behind and something I need to live with, or can I fix it?

3) Thanks also for your suggestions about freeware. It's much appreciated! :thumbsup:

Erin

#10 yoroshiku2

yoroshiku2
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 07 February 2008 - 02:11 AM

I downloaded Comodo Firewall, it did a scan on my system and said I still have a file connected with Trojan Virtumonde.

C:/Users/Erin/AppData/Local/Temp/efcdd.dll

Should I delete it? I won't touch it until I hear from you.

Thanks,
Erin

Attached Files



#11 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 07 February 2008 - 10:51 AM

I downloaded Comodo Firewall, it did a scan on my system and said I still have a file connected with Trojan Virtumonde.

C:/Users/Erin/AppData/Local/Temp/efcdd.dll

Should I delete it? I won't touch it until I hear from you.

Thanks,
Erin


Yes you may delete it.
Posted Image
Proud member of ASAP since 2007

#12 yoroshiku2

yoroshiku2
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 10 February 2008 - 05:58 AM

Rosty,

If I may finish with the following questions....

1) How can I delete the ntaser files?? It says they are in use and won't allow me to delete them from my user account.

2) For some reason I have a new error message that doesn't allow me to open internet explorer in a new window (error message attached). Instead it opens a new IE page in the same window - like a new folder. Do you know how I can fix this?

Thanks.

Attached Files



#13 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 12 February 2008 - 02:14 PM

Rosty,

If I may finish with the following questions....

1) How can I delete the ntaser files?? It says they are in use and won't allow me to delete them from my user account.Sorry for the delay!! I will do some research on your questions!! I was away for 2 days.

2) For some reason I have a new error message that doesn't allow me to open internet explorer in a new window (error message attached). Instead it opens a new IE page in the same window - like a new folder. Do you know how I can fix this?

Thanks.

Sorry for the delay!! I will do some research on your questions!! I was away for 2 days.
Posted Image
Proud member of ASAP since 2007




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users