Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Webhancer, Trojan-downloader, And Others


  • This topic is locked This topic is locked
16 replies to this topic

#1 chadwickms

chadwickms

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 13 May 2008 - 01:14 PM

Hello:

Followed the instructions of running a kaspersky online scan, here is the log from it:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
May 13, 2008 12:43:14 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 13/05/2008
Kaspersky Anti-Virus database records: 768445
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 84838
Number of viruses found: 30
Number of infected objects: 91
Number of suspicious objects: 46
Duration of the scan process: 01:04:10

Infected Object Name / Virus Name / Last Action
C:\!KillBox\webHancer\Programs\webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak16.zip/kvnab$.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak16.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak2.zip/kvnab$.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak21.zip/hcwprn.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak21.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak24.zip/cbinst$.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak24.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak33.zip/wbeInst$.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak33.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak38.zip/cbinst$.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak38.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak44.zip/kvnab$.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak44.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak5.zip/wbeInst$.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak5.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak52.zip/cbinst$.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak52.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak58.zip/kvnab$.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak58.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak66.zip/cbinst$.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak66.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip/wml.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC39.zip/vxddsk.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC39.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp100.zip/liqui.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp100.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp11.zip/kkcomp$.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp11.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp137.zip/liqad$.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp137.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp149.zip/vxddsk.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp149.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp189.zip/xxxvideo.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp189.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp54.zip/liqad$.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp54.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp56.zip/liqad.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp56.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp63.zip/xxxvideo.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp63.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp65.zip/vxddsk.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp65.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp94.zip/kkcomp.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp94.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Chad Benoit\Application Data\Global Flag\Byte bias beep.exe Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\Chad Benoit\Application Data\Global Flag\Gpl enc.exe Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\Chad Benoit\Application Data\Global Flag\xetlokre.exe Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\Chad Benoit\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-1181d259-3a3ab97f.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Chad Benoit\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-1181d259-3a3ab97f.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Chad Benoit\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\Microsoft\Outlook Express\Sent Items.dbx/[From "Chad Benoit" <chadwickbt@bellsouth.net>][Date Tue, 21 Nov 2006 09:00:10 -0600]/eicar.com Infected: EICAR-Test-File skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\Microsoft\Outlook Express\Sent Items.dbx/[From "Chad Benoit" <chadwickbt@bellsouth.net>][Date Tue, 21 Nov 2006 09:03:39 -0600]/eicar.com.zip Infected: EICAR-Test-File skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\Microsoft\Outlook Express\Sent Items.dbx MailMSOutlook5: infected - 2 skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Chad Benoit\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temp\b2new.exe Infected: Trojan-Downloader.Win32.Agent.otg skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temp\bis322.exe Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temp\DRDld\aoadvdcopy.exe Infected: not-a-virus:FraudTool.Win32.SpywareDetector.d skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temp\etr76h.exe/data0006 Infected: Trojan-Downloader.Win32.VB.ehl skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temp\etr76h.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temp\ie.exe Infected: Trojan-Clicker.Win32.Delf.yh skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temp\setup123.exe Infected: Trojan-Downloader.Win32.VB.bwb skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temp\syswcc32.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.423 skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temp\syswcc32.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temp\syswcc32.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temp\syswcc32.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temp\syswcc32.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temp\syswcc32.exe RarSFX: infected - 5 skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temp\~DF68F8.tmp Object is locked skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temporary Internet Files\Content.IE5\5N9E54VW\17PHolmes[1].cmt Infected: Trojan-Downloader.Win32.Homles.bm skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temporary Internet Files\Content.IE5\5N9E54VW\syswcc32[1].exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.423 skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temporary Internet Files\Content.IE5\5N9E54VW\syswcc32[1].exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temporary Internet Files\Content.IE5\5N9E54VW\syswcc32[1].exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temporary Internet Files\Content.IE5\5N9E54VW\syswcc32[1].exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temporary Internet Files\Content.IE5\5N9E54VW\syswcc32[1].exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temporary Internet Files\Content.IE5\5N9E54VW\syswcc32[1].exe RarSFX: infected - 5 skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temporary Internet Files\Content.IE5\BA69WZ5S\msiexec[1].exe Infected: Trojan-Clicker.Win32.Agent.tg skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temporary Internet Files\Content.IE5\DCAJEAH9\etr76h[1].exe/data0006 Infected: Trojan-Downloader.Win32.VB.ehl skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temporary Internet Files\Content.IE5\DCAJEAH9\etr76h[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temporary Internet Files\Content.IE5\E4EZK4NU\b2new[1].exe Infected: Trojan-Downloader.Win32.Agent.otg skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temporary Internet Files\Content.IE5\GE93SLQI\7runer[1].exe Infected: not-a-virus:FraudTool.Win32.AntiSpySpider.v skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temporary Internet Files\Content.IE5\L2TUWOUB\ie[1].exe Infected: Trojan-Clicker.Win32.Delf.yh skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temporary Internet Files\Content.IE5\YEVO5Z2M\installer[1].exe/file1 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temporary Internet Files\Content.IE5\YEVO5Z2M\installer[1].exe/file2 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temporary Internet Files\Content.IE5\YEVO5Z2M\installer[1].exe/file4 Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temporary Internet Files\Content.IE5\YEVO5Z2M\installer[1].exe Inno: infected - 3 skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temporary Internet Files\Content.IE5\YEVO5Z2M\setup[1].exe Infected: Trojan-Downloader.Win32.VB.bwb skipped
C:\Documents and Settings\Chad Benoit\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Chad Benoit\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\RECYCLER\S-1-5-21-1671584579-3736493685-1690099941-1005\Dc12.dll Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\RECYCLER\S-1-5-21-1671584579-3736493685-1690099941-1005\Dc15.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP569\A0078598.exe Infected: Trojan.Win32.VB.azo skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP569\A0078633.dll Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP569\A0078635.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP569\A0078635.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP569\A0078635.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP569\A0078700.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP570\A0078728.exe/stream/Script Infected: Trojan.NSIS.StartPage.c skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP570\A0078728.exe/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP570\A0078728.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP570\A0078745.exe Infected: Trojan.Win32.VB.azo skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP570\A0079745.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP570\A0079747.exe Infected: not-a-virus:AdWare.Win32.WebHancer.423 skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP570\A0079749.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP570\A0079750.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP570\A0079816.exe Infected: Trojan-Downloader.Win32.Homles.bm skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP570\A0079825.exe Infected: Trojan.Win32.VB.azo skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP570\A0079836.exe Infected: Trojan.Win32.VB.azo skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP570\A0080832.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP570\A0081970.exe Infected: Trojan.Win32.VB.azo skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP570\A0082039.exe Infected: Trojan.Win32.VB.azo skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP570\A0083038.exe Infected: Trojan.Win32.VB.azo skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP570\change.log Object is locked skipped
C:\WINDOWS\b2new.exe Infected: Trojan-Downloader.Win32.Agent.otg skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\fkwggshm.exe Infected: Trojan.Win32.VB.azo skipped
C:\WINDOWS\lfn.exe Infected: not-virus:Hoax.Win32.Renos.cda skipped
C:\WINDOWS\Q2hhZCBCZW5vaXQ\asappsrv.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\WINDOWS\Q2hhZCBCZW5vaXQ\command.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\WINDOWS\system32\0.1396601.exe Infected: Trojan-Downloader.Win32.VB.bzi skipped
C:\WINDOWS\system32\1036a\adxparsdll.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\NetLimit.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dFrnx06\dFrnx061083.exe Infected: Trojan-Downloader.Win32.VB.ehl skipped
C:\WINDOWS\system32\egmulhxk.dll Infected: Trojan-Downloader.Win32.VB.bzi skipped
C:\WINDOWS\system32\g50.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\WINDOWS\system32\g50.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\WINDOWS\system32\g50.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\jpwnw64j.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\WINDOWS\system32\lpcywinp.exe Infected: Trojan-Downloader.Win32.VB.bzi skipped
C:\WINDOWS\system32\MUI2\GI-dot4c.exe Infected: Trojan.Win32.Agent.lom skipped
C:\WINDOWS\system32\rwwnw64d.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\WINDOWS\system32\sockins32.dll Infected: not-a-virus:AdWare.Win32.BHO.awz skipped
C:\WINDOWS\system32\spoolX\NsDatdsrv.exe/stream/data0007/stream/Script Infected: Trojan.NSIS.StartPage.c skipped
C:\WINDOWS\system32\spoolX\NsDatdsrv.exe/stream/data0007/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\WINDOWS\system32\spoolX\NsDatdsrv.exe/stream/data0007 Infected: Trojan.NSIS.StartPage.c skipped
C:\WINDOWS\system32\spoolX\NsDatdsrv.exe/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\WINDOWS\system32\spoolX\NsDatdsrv.exe NSIS: infected - 4 skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\winRem\xmapi2pi.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\WINDOWS\system32\wmsdkns.exe Infected: not-virus:Hoax.Win32.Renos.cda skipped
C:\WINDOWS\system32\xxyVOhIX.dll Infected: Trojan.Win32.Zapchast.gb skipped

Scan process completed.

I then tried to run DSS as instructed, but it crashed every time when cleaning temporary files. I also tried it in safe mode, and the same problem happened.

I then ran HijackThis and here is the log from it:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:10:25 PM, on 05/13/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint 3.0\Bin\LPSVS03N.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\b2new.exe
C:\Program Files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$WLAUSERPROFILE\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\lpcywinp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Chad Benoit\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\lpcywinp.exe,C:\WINDOWS\system32\userinit.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [BMdb61e42e] Rundll32.exe "C:\WINDOWS\system32\uyjcefel.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.accountonline.com
O15 - Trusted Zone: *.army.mil
O15 - Trusted Zone: citi.bridgetrack.com
O15 - Trusted Zone: www.c21eei.com
O15 - Trusted Zone: www.citi.com
O15 - Trusted Zone: *.citibank.com
O15 - Trusted Zone: support.dell.com
O15 - Trusted Zone: http://www.denversignsupply.com
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: rad.msn.com
O15 - Trusted Zone: http://www.rci.rutgers.edu
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://192.168.1.4/ConnectComputer/nshelp.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/Facebo...toUploader2.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1147323092281
O16 - DPF: {6F0C8A84-8B0D-11D2-801B-00105AA78F4A} (CobAgent4 Class) - http://ecare4a.netopia.com/techsupport/eca...t_4.2.1.314.cab
O16 - DPF: {6F0C8A85-8B0D-11D2-801B-00105AA78F4A} (CobAgent4 Class) - http://ecare4a.netopia.com/techsupport/eca...t_4.2.1.316.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://192.168.1.4/Remote/msrdp.cab
O16 - DPF: {7873B468-E762-4143-83E6-7258CB6B5D9D} (ECareAgent Class) - http://ecare4a.netopia.com/techsupport/eca.../ECareAgent.cab
O16 - DPF: {B82FA17C-F3A9-11D2-B5DD-0050041B7FF6} (SAXFile FileDownload ActiveX Control) - http://www.merrillshop.com/SAXFile.cab
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: EPrint III Service - Unknown owner - C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint 3.0\Bin\LPSVS03N.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\b2new.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8322 bytes

Anything that can help would be great! My computer is totally unusable at this point. :thumbsup:

BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:25 PM

Posted 13 May 2008 - 02:01 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 chadwickms

chadwickms
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 13 May 2008 - 08:17 PM

Hi BuckeyeSam, thanks for getting back to me so quickly! :thumbsup:

Here is the combofix log:

ComboFix 08-05-12.1 - chad 2008-05-13 20:04:28.2 - NTFSx86
Running from: C:\Documents and Settings\Chad Benoit\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-13 17:33 . 2008-05-13 17:33 123,456 --a------ C:\WINDOWS\system32\mipgirdk.dll
2008-05-12 23:54 . 2008-05-12 23:54 <DIR> d-------- C:\Deckard
2008-05-12 23:51 . 2008-05-12 23:51 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-12 23:51 . 2008-05-12 23:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-12 23:00 . 2008-05-12 23:00 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-05-12 22:02 . 2008-05-12 22:02 126,016 --------- C:\WINDOWS\system32\uyjcefel.dll_old
2008-05-12 22:02 . 2008-05-13 17:57 109,807 --a------ C:\WINDOWS\BMdb61e42e.xml
2008-05-12 22:02 . 2008-05-12 22:02 2,112 --a------ C:\WINDOWS\system32\cfaonmea.exe
2008-05-12 22:01 . 2008-05-12 22:01 370,688 --------- C:\WINDOWS\system32\iifefGvt.dll
2008-05-11 23:41 . 2008-05-11 23:41 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-11 23:41 . 2008-05-11 23:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-11 18:21 . 2008-05-12 08:04 <DIR> d-------- C:\!KillBox
2008-05-11 17:10 . 2008-05-11 17:05 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-11 17:04 . 2008-05-11 18:04 <DIR> d-------- C:\Documents and Settings\Chad Benoit\.housecall6.6
2008-05-11 17:04 . 2008-05-13 12:35 18,432 --a------ C:\WINDOWS\fkwggshm.exe
2008-05-11 16:56 . 2008-05-11 16:56 <DIR> d-------- C:\desktopclean
2008-05-11 16:48 . 2008-05-11 16:48 401,972 --a------ C:\WINDOWS\system32\g50.exe
2008-05-11 16:47 . 2008-05-11 16:47 49,183 --a------ C:\WINDOWS\system32\jpwnw64j.exe
2008-05-11 15:50 . 2008-05-11 15:50 59,120 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-05-11 15:33 . 2008-05-11 15:33 861 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-05-11 15:31 . 2008-05-11 15:31 <DIR> d-------- C:\WINDOWS\system32\winRem
2008-05-11 15:31 . 2008-05-11 15:31 <DIR> d-------- C:\WINDOWS\system32\spoolX
2008-05-11 15:31 . 2008-05-11 15:31 <DIR> d-------- C:\WINDOWS\system32\MUI2
2008-05-11 15:31 . 2008-05-11 15:31 <DIR> d-------- C:\WINDOWS\system32\dFrnx06
2008-05-11 15:31 . 2008-05-11 15:31 <DIR> d-------- C:\WINDOWS\system32\1036a
2008-05-11 15:31 . 2008-05-11 15:31 <DIR> d-------- C:\Temp\tmpvc14
2008-05-11 15:31 . 2008-05-13 17:39 <DIR> d-------- C:\Temp
2008-05-11 15:31 . 2008-05-11 15:30 25,600 --a------ C:\WINDOWS\b2new.exe
2008-05-11 15:31 . 2008-05-11 15:31 4 --a------ C:\WINDOWS\system32\jpewocmz.ini
2008-05-11 15:30 . 2008-05-11 15:30 59,904 --a------ C:\WINDOWS\system32\nnnmmnKA.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 21:43 --------- d-----w C:\Documents and Settings\Chad Benoit\Application Data\uTorrent
2008-05-11 20:46 --------- d-----w C:\Documents and Settings\Chad Benoit\Application Data\Apple Computer
2008-05-11 20:45 --------- d-----w C:\Program Files\Digital Line Detect
2008-05-11 20:32 88,961 ----a-w C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
2008-05-11 20:32 49,168 ----a-w C:\WINDOWS\system32\rwwnw64d.exe
2008-05-11 20:32 32,768 ----a-w C:\WINDOWS\system32\sockins32.dll
2008-05-11 20:32 298,311 ----a-w C:\WINDOWS\system32\gside.exe
2008-05-11 20:32 167,545 ----a-w C:\WINDOWS\system32\drivers\core.cache(3).dsk
2008-05-11 20:32 167,545 ----a-w C:\WINDOWS\system32\drivers\core.cache(2).dsk
2008-04-19 05:04 --------- d-----w C:\Program Files\Simjack
2008-04-09 06:02 1,994 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-27 15:35 333,824 ----a-w C:\WINDOWS\system32\mysidesearch_sidebar.dll
2008-03-22 17:52 --------- d-----w C:\Program Files\Safari
2008-03-22 17:49 --------- d-----w C:\Program Files\iTunes
2008-03-22 17:49 --------- d-----w C:\Program Files\iPod
2008-03-22 17:47 --------- d-----w C:\Program Files\QuickTime
1999-11-18 19:04 42,256 ----a-w C:\Program Files\clock.exe
2005-08-02 21:46 187,904 --sha-r C:\WINDOWS\Q2hhZCBCZW5vaXQ\asappsrv.dll
2005-08-02 21:58 293,888 --sha-r C:\WINDOWS\Q2hhZCBCZW5vaXQ\command.exe
2005-07-29 21:24 472 --sha-r C:\WINDOWS\Q2hhZCBCZW5vaXQ\kZ11tF1FtqcSurk.vbs
.

((((((((((((((((((((((((((((( snapshot@2008-05-13_17.55.54.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-13 22:47:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-14 01:01:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-13 22:48:32 227,716 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-05-14 01:06:08 227,720 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-05-14 01:02:13 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_134.dat
+ 2008-05-14 01:02:24 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_2c4.dat
+ 2008-05-14 01:02:10 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4439334C-6B99-4C94-A7BD-B5DDD6C83C64}]
2008-05-12 22:01 370688 --------- C:\WINDOWS\system32\iifefGvt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{477840F3-BA52-44D9-8E41-38D61CAA010F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4C4AA3EC-A114-419C-8A85-580398C68BDB}]
C:\WINDOWS\system32\opnkLBtS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F830E62-478D-4D75-8398-6BECFEC00D1E}]
C:\WINDOWS\system32\mlJYpMfF.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9506910A-0F94-4ea1-B567-7070428B8B2B}]
2008-03-27 10:35 333824 --a------ C:\WINDOWS\system32\mysidesearch_sidebar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF571BED-8ABD-422E-AF01-DB6E09DF851E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b9980aa8-6550-e1f4-7153-137ce8077a53}]
C:\WINDOWS\system32\{3475bd8d-0b10-1435-134e-426ac8c0e2a1}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC11617C-259E-429c-9063-7D70B8355EBD}]
C:\Program Files\dbar\Deskbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE656BE9-9472-40C2-9D74-CADC8EB80B0C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1B2B165-FBF2-4EB3-98FF-9CF5506062B5}]
2008-05-11 15:30 59904 --a------ C:\WINDOWS\system32\nnnmmnKA.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 07:36 729178]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [2005-09-01 18:24 684032]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 11:22 405504]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-09-26 19:34 169984]
"BMdb61e42e"="C:\WINDOWS\system32\mipgirdk.dll" [2008-05-13 17:33 123456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 06:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-01-05 12:33:57 24576]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"NoActiveDesktopChanges"= 00000000
"NoActiveDesktop"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{F1B2B165-FBF2-4EB3-98FF-9CF5506062B5}"= C:\WINDOWS\system32\nnnmmnKA.dll [2008-05-11 15:30 59904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebProxy"= {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnmmnKA]
nnnmmnKA.dll 2008-05-11 15:30 59904 C:\WINDOWS\system32\nnnmmnKA.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Chad Benoit^Start Menu^Programs^Accessories^Startup^Deewoo.lnk]
path=C:\Documents and Settings\Chad Benoit\Start Menu\Programs\Accessories\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Chad Benoit^Start Menu^Programs^Accessories^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Chad Benoit\Start Menu\Programs\Accessories\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 06:00 110592 C:\WINDOWS\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dbar_starter]
C:\Documents and Settings\Chad Benoit\Application Data\Deskbar_{82ED3EAC-6B3C-4788-80B2-7C504FE4B587}\starter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\system32\mcntqkdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Systray]
--a------ 2008-05-11 15:32 32768 C:\WINDOWS\system32\sockins32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSUpdater]
C:\Program Files\winvi\wupda.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinUpdater]
C:\Program Files\winvi\update.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{c3aec984-2f2e-8c10-9919-3034c278c6ee}]
C:\WINDOWS\system32\{3475bd8d-0b10-1435-134e-426ac8c0e2a1}.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1136934596\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1136934596\\ee\\aim6.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 MSSQL$RETSDATA;MSSQL$RETSDATA;C:\Program Files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlservr.exe [2002-12-17 18:26]
R2 MSSQL$WLAUSERPROFILE;MSSQL$WLAUSERPROFILE;C:\Program Files\Microsoft SQL Server\MSSQL$WLAUSERPROFILE\Binn\sqlservr.exe [2002-12-17 17:26]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S3 SQLAgent$RETSDATA;SQLAgent$RETSDATA;C:\Program Files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlagent.EXE [2002-12-17 18:23]
S3 SQLAgent$WLAUSERPROFILE;SQLAgent$WLAUSERPROFILE;C:\Program Files\Microsoft SQL Server\MSSQL$WLAUSERPROFILE\Binn\sqlagent.EXE [2002-12-17 17:23]

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
rundll32 sockins32.dll,InitModule
.
Contents of the 'Scheduled Tasks' folder
"2008-05-13 23:00:00 C:\WINDOWS\Tasks\8DBA166FB759930B.job"
- c:\docume~1\chadbe~1\applic~1\global~1\Byte bias beep.exe
"2008-04-26 17:35:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-11 19:11:45 C:\WINDOWS\Tasks\Low Battery Alarm Program.job"
- C:\Program Files\BatteryDying\BatteryDying.exe
"2008-05-14 01:10:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{B98C40A3-C58C-46AA-8F26-13CD96DF7C08}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 20:10:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
NoActiveDesktopChanges = 3F 00 00 00
NoActiveDesktop = 63
NoSaveSettings = 63
ClassicShell = 63

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\nnnmmnKA.dll
.
Completion time: 2008-05-13 20:13:16
ComboFix-quarantined-files.txt 2008-05-14 01:12:46
ComboFix2.txt 2008-05-13 22:57:18

Pre-Run: 1,512,775,680 bytes free
Post-Run: 1,497,714,688 bytes free

219


Let me know what's next, thanks! :)

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:25 PM

Posted 13 May 2008 - 11:07 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\WINDOWS\system32\winRem
C:\WINDOWS\system32\spoolX
C:\WINDOWS\system32\MUI2
C:\WINDOWS\system32\dFrnx06
C:\WINDOWS\system32\1036a
C:\Temp\tmpvc14
C:\Program Files\winvi

File::
C:\WINDOWS\system32\mipgirdk.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\uyjcefel.dll_old
C:\WINDOWS\BMdb61e42e.xml
C:\WINDOWS\system32\cfaonmea.exe
C:\WINDOWS\system32\iifefGvt.dll
C:\WINDOWS\fkwggshm.exe
C:\WINDOWS\system32\g50.exe
C:\WINDOWS\system32\jpwnw64j.exe
C:\WINDOWS\system32\mlfcache.dat
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\b2new.exe
C:\WINDOWS\system32\jpewocmz.ini
C:\WINDOWS\system32\nnnmmnKA.dll
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\sockins32.dll
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\mysidesearch_sidebar.dll
C:\WINDOWS\Tasks\8DBA166FB759930B.job

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMdb61e42e"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{F1B2B165-FBF2-4EB3-98FF-9CF5506062B5}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebProxy"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnmmnKA]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dbar_starter]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Systray]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSUpdater]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinUpdater]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{c3aec984-2f2e-8c10-9919-3034c278c6ee}]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new DSS log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 chadwickms

chadwickms
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 14 May 2008 - 12:40 PM

Buckeye_Sam:

Here is the last log from running combofix as directed:

ComboFix 08-05-12.1 - chad 2008-05-14 12:15:44.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.612 [GMT -5:00]
Running from: C:\Documents and Settings\Chad Benoit\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Chad Benoit\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\b2new.exe
C:\WINDOWS\BMdb61e42e.xml
C:\WINDOWS\fkwggshm.exe
C:\WINDOWS\system32\cfaonmea.exe
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\g50.exe
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\iifefGvt.dll
C:\WINDOWS\system32\jpewocmz.ini
C:\WINDOWS\system32\jpwnw64j.exe
C:\WINDOWS\system32\mipgirdk.dll
C:\WINDOWS\system32\mlfcache.dat
C:\WINDOWS\system32\mysidesearch_sidebar.dll
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\nnnmmnKA.dll
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\sockins32.dll
C:\WINDOWS\system32\uyjcefel.dll_old
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\Tasks\8DBA166FB759930B.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\tmpvc14
C:\Temp\tmpvc14\dllvc.log
C:\WINDOWS\b2new.exe
C:\WINDOWS\BMdb61e42e.xml
C:\WINDOWS\fkwggshm.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\1036a
C:\WINDOWS\system32\1036a\adxparsdll.exe
C:\WINDOWS\system32\cfaonmea.exe
C:\WINDOWS\system32\dFrnx06
C:\WINDOWS\system32\dFrnx06\dFrnx061083.exe
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\g50.exe
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\iifefGvt.dll
C:\WINDOWS\system32\jpewocmz.ini
C:\WINDOWS\system32\jpwnw64j.exe
C:\WINDOWS\system32\mipgirdk.dll
C:\WINDOWS\system32\mlfcache.dat
C:\WINDOWS\system32\MUI2
C:\WINDOWS\system32\MUI2\GI-dot4c.exe
C:\WINDOWS\system32\mysidesearch_sidebar.dll
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\nnnmmnKA.dll
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\sockins32.dll
C:\WINDOWS\system32\spoolX
C:\WINDOWS\system32\spoolX\NsDatdsrv.exe
C:\WINDOWS\system32\tvGfefii.ini
C:\WINDOWS\system32\tvGfefii.ini2
C:\WINDOWS\system32\uyjcefel.dll_old
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\winRem
C:\WINDOWS\system32\winRem\xmapi2pi.exe
C:\WINDOWS\Tasks\8DBA166FB759930B.job

.
((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-14 12:11 . 2008-05-14 12:11 2,112 --a------ C:\WINDOWS\system32\gbnvdkyx.exe
2008-05-14 08:12 . 2008-05-14 08:12 131,648 --a------ C:\WINDOWS\system32\tfhsstbf.dll
2008-05-14 08:12 . 2008-05-14 08:12 113,728 --a------ C:\WINDOWS\system32\kablkiga.dll
2008-05-14 08:12 . 2008-05-14 12:31 474 ---hs---- C:\WINDOWS\system32\agiklbak.ini
2008-05-14 08:10 . 2008-05-14 08:10 124,480 --a------ C:\WINDOWS\system32\ftamvnhn.dll
2008-05-12 23:54 . 2008-05-12 23:54 <DIR> d-------- C:\Deckard
2008-05-12 23:51 . 2008-05-12 23:51 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-12 23:51 . 2008-05-12 23:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-11 23:41 . 2008-05-14 08:14 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-11 23:41 . 2008-05-14 08:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-11 18:21 . 2008-05-12 08:04 <DIR> d-------- C:\!KillBox
2008-05-11 17:10 . 2008-05-11 17:05 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-11 17:04 . 2008-05-11 18:04 <DIR> d-------- C:\Documents and Settings\Chad Benoit\.housecall6.6
2008-05-11 16:56 . 2008-05-11 16:56 <DIR> d-------- C:\desktopclean
2008-05-11 15:31 . 2008-05-14 12:17 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 21:43 --------- d-----w C:\Documents and Settings\Chad Benoit\Application Data\uTorrent
2008-05-11 20:46 --------- d-----w C:\Documents and Settings\Chad Benoit\Application Data\Apple Computer
2008-05-11 20:45 --------- d-----w C:\Program Files\Digital Line Detect
2008-04-19 05:04 --------- d-----w C:\Program Files\Simjack
2008-03-22 17:52 --------- d-----w C:\Program Files\Safari
2008-03-22 17:49 --------- d-----w C:\Program Files\iTunes
2008-03-22 17:49 --------- d-----w C:\Program Files\iPod
2008-03-22 17:47 --------- d-----w C:\Program Files\QuickTime
1999-11-18 19:04 42,256 ----a-w C:\Program Files\clock.exe
2005-08-02 21:46 187,904 --sha-r C:\WINDOWS\Q2hhZCBCZW5vaXQ\asappsrv.dll
2005-08-02 21:58 293,888 --sha-r C:\WINDOWS\Q2hhZCBCZW5vaXQ\command.exe
2005-07-29 21:24 472 --sha-r C:\WINDOWS\Q2hhZCBCZW5vaXQ\kZ11tF1FtqcSurk.vbs
.

((((((((((((((((((((((((((((( snapshot@2008-05-13_17.55.54.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-13 22:47:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-14 17:29:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-13 22:48:32 227,716 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-05-14 17:29:51 227,726 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-05-14 17:29:49 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_1d4.dat
+ 2008-05-14 17:29:50 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_208.dat
+ 2008-05-14 17:29:51 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_284.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4C4AA3EC-A114-419C-8A85-580398C68BDB}]
C:\WINDOWS\system32\opnkLBtS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F830E62-478D-4D75-8398-6BECFEC00D1E}]
C:\WINDOWS\system32\mlJYpMfF.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72f7fac5-4bd9-4912-8c2b-8ebc62e43957}]
2008-05-14 08:12 131648 --a------ C:\WINDOWS\system32\tfhsstbf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b9980aa8-6550-e1f4-7153-137ce8077a53}]
C:\WINDOWS\system32\{3475bd8d-0b10-1435-134e-426ac8c0e2a1}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC11617C-259E-429c-9063-7D70B8355EBD}]
C:\Program Files\dbar\Deskbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 07:36 729178]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [2005-09-01 18:24 684032]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 11:22 405504]
"d852d7b2"="C:\WINDOWS\system32\kablkiga.dll" [2008-05-14 08:12 113728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 06:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-01-05 12:33:57 24576]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"NoActiveDesktopChanges"= 00000000
"NoActiveDesktop"= 0 (0x0)

[HKLM\~\startupfolder\C:^Documents and Settings^Chad Benoit^Start Menu^Programs^Accessories^Startup^Deewoo.lnk]
path=C:\Documents and Settings\Chad Benoit\Start Menu\Programs\Accessories\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Chad Benoit^Start Menu^Programs^Accessories^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Chad Benoit\Start Menu\Programs\Accessories\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 06:00 110592 C:\WINDOWS\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1136934596\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1136934596\\ee\\aim6.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 MSSQL$RETSDATA;MSSQL$RETSDATA;C:\Program Files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlservr.exe [2002-12-17 18:26]
R2 MSSQL$WLAUSERPROFILE;MSSQL$WLAUSERPROFILE;C:\Program Files\Microsoft SQL Server\MSSQL$WLAUSERPROFILE\Binn\sqlservr.exe [2002-12-17 17:26]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S3 SQLAgent$RETSDATA;SQLAgent$RETSDATA;C:\Program Files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlagent.EXE [2002-12-17 18:23]
S3 SQLAgent$WLAUSERPROFILE;SQLAgent$WLAUSERPROFILE;C:\Program Files\Microsoft SQL Server\MSSQL$WLAUSERPROFILE\Binn\sqlagent.EXE [2002-12-17 17:23]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
rundll32 sockins32.dll,InitModule
.
Contents of the 'Scheduled Tasks' folder
"2008-04-26 17:35:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-11 19:11:45 C:\WINDOWS\Tasks\Low Battery Alarm Program.job"
- C:\Program Files\BatteryDying\BatteryDying.exe
"2008-05-14 17:35:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{B98C40A3-C58C-46AA-8F26-13CD96DF7C08}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 12:30:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
NoActiveDesktopChanges = 3F 00 00 00
NoActiveDesktop = 63
NoSaveSettings = 63
ClassicShell = 63

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\kablkiga.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint 3.0\Bin\LPSVS03N.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2008-05-14 12:37:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-14 17:36:32
ComboFix2.txt 2008-05-14 01:13:18
ComboFix3.txt 2008-05-13 22:57:18

Pre-Run: 1,554,952,192 bytes free
Post-Run: 1,538,637,824 bytes free

222

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:25 PM

Posted 14 May 2008 - 05:58 PM

Let's hit it again.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\gbnvdkyx.exe
C:\WINDOWS\system32\tfhsstbf.dll
C:\WINDOWS\system32\kablkiga.dll
C:\WINDOWS\system32\agiklbak.ini
C:\WINDOWS\system32\ftamvnhn.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4C4AA3EC-A114-419C-8A85-580398C68BDB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F830E62-478D-4D75-8398-6BECFEC00D1E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72f7fac5-4bd9-4912-8c2b-8ebc62e43957}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b9980aa8-6550-e1f4-7153-137ce8077a53}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC11617C-259E-429c-9063-7D70B8355EBD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"d852d7b2"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 chadwickms

chadwickms
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 14 May 2008 - 10:06 PM

still have some issues, my start-page in both IE and firefox is hijacked, and there is a fake REAL "windows security alert" icon in the taskbar. computer is still slow but better.

Edited: guess I was so used to the scam ones, but that was a legit windows security alert about firewall and antivirus being disabled, to let combofix do it's job.

Here is latest combofix log as directed:

ComboFix 08-05-12.1 - chad 2008-05-14 21:44:05.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.643 [GMT -5:00]
Running from: C:\Documents and Settings\Chad Benoit\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Chad Benoit\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\agiklbak.ini
C:\WINDOWS\system32\ftamvnhn.dll
C:\WINDOWS\system32\gbnvdkyx.exe
C:\WINDOWS\system32\kablkiga.dll
C:\WINDOWS\system32\tfhsstbf.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\agiklbak.ini
C:\WINDOWS\system32\ftamvnhn.dll
C:\WINDOWS\system32\gbnvdkyx.exe
C:\WINDOWS\system32\kablkiga.dll
C:\WINDOWS\system32\tfhsstbf.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-15 to 2008-05-15 )))))))))))))))))))))))))))))))
.

2008-05-12 23:54 . 2008-05-12 23:54 <DIR> d-------- C:\Deckard
2008-05-12 23:51 . 2008-05-12 23:51 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-12 23:51 . 2008-05-12 23:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-11 23:41 . 2008-05-14 08:14 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-11 23:41 . 2008-05-14 08:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-11 18:21 . 2008-05-12 08:04 <DIR> d-------- C:\!KillBox
2008-05-11 17:10 . 2008-05-11 17:05 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-11 17:04 . 2008-05-11 18:04 <DIR> d-------- C:\Documents and Settings\Chad Benoit\.housecall6.6
2008-05-11 16:56 . 2008-05-11 16:56 <DIR> d-------- C:\desktopclean
2008-05-11 15:31 . 2008-05-14 12:17 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 21:43 --------- d-----w C:\Documents and Settings\Chad Benoit\Application Data\uTorrent
2008-05-11 20:46 --------- d-----w C:\Documents and Settings\Chad Benoit\Application Data\Apple Computer
2008-05-11 20:45 --------- d-----w C:\Program Files\Digital Line Detect
2008-04-19 05:04 --------- d-----w C:\Program Files\Simjack
2008-03-22 17:52 --------- d-----w C:\Program Files\Safari
2008-03-22 17:49 --------- d-----w C:\Program Files\iTunes
2008-03-22 17:49 --------- d-----w C:\Program Files\iPod
2008-03-22 17:47 --------- d-----w C:\Program Files\QuickTime
1999-11-18 19:04 42,256 ----a-w C:\Program Files\clock.exe
2005-08-02 21:46 187,904 --sha-r C:\WINDOWS\Q2hhZCBCZW5vaXQ\asappsrv.dll
2005-08-02 21:58 293,888 --sha-r C:\WINDOWS\Q2hhZCBCZW5vaXQ\command.exe
2005-07-29 21:24 472 --sha-r C:\WINDOWS\Q2hhZCBCZW5vaXQ\kZ11tF1FtqcSurk.vbs
.

((((((((((((((((((((((((((((( snapshot@2008-05-13_17.55.54.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-13 22:47:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-15 02:48:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-13 22:48:32 227,716 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-05-15 02:48:58 227,716 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-05-15 02:48:55 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_1d8.dat
+ 2008-05-15 02:48:58 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_20c.dat
+ 2008-05-15 02:48:58 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_290.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 07:36 729178]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [2005-09-01 18:24 684032]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 11:22 405504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 06:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-01-05 12:33:57 24576]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"NoActiveDesktopChanges"= 00000000
"NoActiveDesktop"= 0 (0x0)

[HKLM\~\startupfolder\C:^Documents and Settings^Chad Benoit^Start Menu^Programs^Accessories^Startup^Deewoo.lnk]
path=C:\Documents and Settings\Chad Benoit\Start Menu\Programs\Accessories\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Chad Benoit^Start Menu^Programs^Accessories^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Chad Benoit\Start Menu\Programs\Accessories\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 06:00 110592 C:\WINDOWS\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1136934596\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1136934596\\ee\\aim6.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 MSSQL$RETSDATA;MSSQL$RETSDATA;C:\Program Files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlservr.exe [2002-12-17 18:26]
R2 MSSQL$WLAUSERPROFILE;MSSQL$WLAUSERPROFILE;C:\Program Files\Microsoft SQL Server\MSSQL$WLAUSERPROFILE\Binn\sqlservr.exe [2002-12-17 17:26]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S3 SQLAgent$RETSDATA;SQLAgent$RETSDATA;C:\Program Files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlagent.EXE [2002-12-17 18:23]
S3 SQLAgent$WLAUSERPROFILE;SQLAgent$WLAUSERPROFILE;C:\Program Files\Microsoft SQL Server\MSSQL$WLAUSERPROFILE\Binn\sqlagent.EXE [2002-12-17 17:23]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-26 17:35:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-11 19:11:45 C:\WINDOWS\Tasks\Low Battery Alarm Program.job"
- C:\Program Files\BatteryDying\BatteryDying.exe
"2008-05-15 02:55:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{B98C40A3-C58C-46AA-8F26-13CD96DF7C08}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 21:49:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
NoActiveDesktopChanges = 3F 00 00 00
NoActiveDesktop = 63
NoSaveSettings = 63
ClassicShell = 63

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint 3.0\Bin\LPSVS03N.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\WINDOWS\system32\snmp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2008-05-14 21:56:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-15 02:55:49
ComboFix2.txt 2008-05-14 17:37:01
ComboFix3.txt 2008-05-14 01:13:18
ComboFix4.txt 2008-05-13 22:57:18

Pre-Run: 1,515,180,032 bytes free
Post-Run: 1,500,868,608 bytes free

150


thanks! :thumbsup:

Edited by chadwickms, 14 May 2008 - 11:21 PM.


#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:25 PM

Posted 15 May 2008 - 07:45 AM

So your desktop is still infected?


Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 chadwickms

chadwickms
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 15 May 2008 - 06:00 PM

everything _seems_ okay now, but here is the log from superantispyware to see if I am clean:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/15/2008 at 10:07 AM

Application Version : 4.0.1154

Core Rules Database Version : 3461
Trace Rules Database Version: 1452

Scan type : Complete Scan
Total Scan Time : 00:59:26

Memory items scanned : 427
Memory threats detected : 0
Registry items scanned : 6595
Registry threats detected : 0
File items scanned : 72243
File threats detected : 770

Adware.Tracking Cookie
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@realmedia[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@msninvite.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@redorbit[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@verizonmci.122.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@revsci[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@cc.bridgetrack[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@sec1.liveperson[3].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@server.iad.liveperson[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@kontera[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@indigio.122.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@sec1.liveperson[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@h.starware[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@microsofteup.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@cgi-bin[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@regalinteractive[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@tacoda[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@bravenet[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@www.vermontcountrystore[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@www.accountonline[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@adknowledge[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@trafficmp[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@4.adbrite[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.burstnet[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@questionmarket[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@adserver.outpersonals[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@ford.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.zanox-affiliate[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@dcschplihypawcm7a2b946fxt_4e8v[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@ads.monster[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@entrepreneur[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@www.shop-vermontcountrystore[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@overture[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@yadro[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@edge.ru4[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@dist.belnk[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@ads.pointroll[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@try.starware[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@anad.tacoda[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@fonefinder[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@nextag[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@tribalfusion[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@server.iad.liveperson[4].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@citi.bridgetrack[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@cnn.122.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@maxserving[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@as-us.falkag[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@184906[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@insightexpressai[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@tracker.myspacemaps[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@www.googleadservices[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@sdc.multicastmedia[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@87263826[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@serving-sys[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@reduxads.valuead[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@perf.overture[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@anat.tacoda[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@bs.serving-sys[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@nir.regaccount[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@adv.webmd[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@3.adbrite[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@embarq.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@roiservice[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@partygaming.122.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@ads.revsci[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@adinterax[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@www.bizrate[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@icc.intellisrv[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@precisionclick[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@belnk[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@partypoker[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@revenue[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@adopt.euroclick[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@fortunecity[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@mb[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@yieldmanager[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@as1.falkag[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@data1.perf.overture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@bizrate[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@mtrcs.bizrate[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@indiads[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@atdmt[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@login.tracking101[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@www1.claxonmedia[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@89490505[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@ads.shopthescene[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@88287119[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@entrepreneur.122.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@msnportal.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@ads.cnn[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@adbrite[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ad.zanox[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@kanoodle[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@www.popuptraffic[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@adopt.specificclick[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@qksrv[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@atwola[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@advertising[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@heavycom.122.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@adecn[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@list[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@bellglobemediapublishing.122.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@zedo[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@nextstat[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@dnsstuff.adbureau[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@ads.videoadvertising[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@www.revenue.louisiana[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@publishers.clickbooth[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@data4.perf.overture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@adultfriendfinder[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@cbs.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@ads.adbrite[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@realmedia[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@1[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@ctxtad[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@serving.rpowermedia[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@a.websponsors[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@keywordmax[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@dip-time.tripod[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@revsci[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@cgi-bin[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@toplist[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@ads.web.aol[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@stat.dealtime[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@adlegend[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@partner2profit[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@www4-myaccount.shopalltel[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@direct[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@stat.onestat[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@azjmp[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@myaccount.shopalltel[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@www.drivecleaner[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@ads.bridgetrack[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@usenext[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@lynxtrack[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@clicksor[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@ads.aspalliance[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@adserver.adreactor[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@www.nextag[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@sales.liveperson[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@ads.addynamix[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@itxt.vibrantmedia[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@ad1.clickhype[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@ads.realtechnetwork[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@www.burstbeacon[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@e-2dj6wjk4ckdpkeo.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@247realmedia[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@phhmortgage.122.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@myaccount.west.thomson[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@nbcuniversal.122.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@click.maxfeeds[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@burstnet[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@drivecleaner[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@rotator.adjuggler[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@hotlog[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@indexstats[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@mmm.media-motor[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@findlaw[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@server.iad.liveperson[3].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@40715998[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@smallbusiness.findlaw[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@secure.myriadnetwork[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@rambler[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@www.e-bannerx[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@direct[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@stats.drivecleaner[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@www2.claxonmedia[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@myriadnetwork[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@mmm.elitemediagroup[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@ads.hub[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@spylog[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@clicktorrent[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.burstbeacon[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@ad.contentmedianetwork[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@cpvfeed[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.monster[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.claxonmedia[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@roiservice[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@questionmarket[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@atwola[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@reduxads.valuead[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@trafficmp[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@oddcast[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@statcounter[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@ads.sunjournal[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@as-us.falkag[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wgligiazseo.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@webmd.122.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@kmpads[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@view.atdmt[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@www.getstats[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@queerclick[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@usenext[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ad.contentmedianetwork[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@tribalfusion[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@countrycodes[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@www.dealtime[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@ar.atwola[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@vhost.oddcast[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.findarticles[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@1.marketbanker[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@divx.adbureau[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@ad.ifrance[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wjnycgajsap.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@advertising[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.pno[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@serving-sys[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@image.masterstats[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.bleepingcomputer[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www5.addfreestats[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@yieldmanager[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@web-stat[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@dealtime[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@paypal.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@divx.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@vhost.oddcast[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@adlegend[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@versiontracker[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@servlet[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@forum.myriadnetwork[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@adbrite[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@precisionclick[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@adopt.euroclick[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@imrworldwide[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@kontera[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@e-2dj6wfkighajmep.stats.esomniture[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@intaclick[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@max.queerclick[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@zscript[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad benoit@1072441650[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@www.googleadservices[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@partner2profit[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@2.marketbanker[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@edge.ru4[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@steelwerksextreme[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@microsoftwlmailmkt.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@247realmedia[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ar.atwola[5].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@belnk[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@hotlog[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.zazzle.com.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@phhmortgage.122.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@clicksor[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@try.starware[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@account.alltel[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@nextag[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@sixapart.adbureau[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@myriadnetworks[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@t1.trackalyzer[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@uk.sitestat[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@dillards.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ad2.m5-systems[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@sixapart.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@itxt.vibrantmedia[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@stat.onestat[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@web-stat[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@sec1.liveperson[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@tacoda[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@keywordmax[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@stpetersburgtimes.122.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@adinterax[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.accountonline[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@overture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@weborama[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@tracker.affistats[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@dealtime[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@adv.webmd[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@cnn.122.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.pointroll[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@adecn[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.mediamayhemcorp[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ad6.bannerbank[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.poweradvertising[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@nir.regaccount[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@kanoodle[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@msnportal.112.2o7[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.realtechnetwork[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@microsofteup.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@www.warezforumz[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@offers.intermediainteractive[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@server.iad.liveperson[11].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@shoplocl.adbureau[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@hitbox[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@insightexpressai[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@usenext[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@webmd.122.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@e-2dj6wglieiazwcp.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad_benoit@paypal.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wblowkajkap.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@anad.tacoda[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@tripod[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@atdmt[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@bs.serving-sys[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@spylog[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@divx.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@networksolutions.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.telecomfinders[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@stats4.clicktracks[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@id-enhancements[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.infinite-ads[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@adopt.specificclick[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.amazinginfoonhomosexuals[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ctxtad.tribalfusion[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ecnext.advertserve[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.guardian.co[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@azjmp[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@nextstat[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@amazinginfoonhomosexuals[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@stats.infomedia[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@viacomedycentralrl.112.2o7[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@pt.crossmediaservices[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@tradedoubler[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@homestore.122.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@imageads6.googleadservices[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@view.atdmt[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@dnsstuff.adbureau[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.addynamix[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@stats.erau[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@adserver.easyad[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@sales.liveperson[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@smileycentral[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@perf.overture[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@view.atdmt[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@drivecleaner[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ad-net.com[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@media.adfrontiers[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.as4x.tmcs[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@blockbuster.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www4.addfreestats[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@msninvite.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@creative.clicksor[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@a.findarticles[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@rotator.adjuggler[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.revsci[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@specificclick[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@citi.bridgetrack[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.onlineemedia[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@planetout.122.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@gaypornaccess[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@web4.realtracker[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.insightexpress[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@qnsr[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@findrxonline[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@stat.dealtime[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@gostats[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@fortunecity[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@telecomfinders[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@view.atdmt[8].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@mcclatchy.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@adnetserver[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@adtech[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.tqlkg[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@sales.liveperson[7].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ad-demo.bmezine[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wfkislcpkco.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@bannerads.zwire[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wfkismazcfp.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@CA2D2JSF.txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@stats2.clicktracks[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@bizrate[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.wise-finder[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@cancertreatmentcenter.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.dealtime[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@stats.espinthebottle[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@sales.liveperson[6].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@microsoftwga.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@hearstmagazines.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.findrxonline[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@clickshift[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wfloulcjsgq.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@bleepingmachines[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@CA0P2Q1B.txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.traderonline[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@findarticles[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www8.addfreestats[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@fonefinder[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@track.bestbuy[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@sales.liveperson[10].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@nielsen.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@stats.erau[3].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@media.myfoxny[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wbk4uncjseo.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@uk.sitestat[3].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@tracking.foxnews[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.popuptraffic[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.mlsfinder[3].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@hc2.humanclick[3].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@indextools[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.aspalliance[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ad.gen.tbn[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@angleinteractive.directtrack[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@usatoday1.112.2o7[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ar.atwola[3].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@enhance[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@sales.liveperson[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@view.atdmt[3].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@brightcove.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ford.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@msnaccountservices.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@pro-market[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@mediablvd[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@gfi.122.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.mlsfinder[4].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@yadro[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.owen-media-store[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.xctrk[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@list[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@sitestat.mayoclinic[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@videoegg.adbureau[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ar.atwola[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@counter.rewardsnetwork[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@view.atdmt[5].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wfkighajwcp.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wfmiqpd5glp.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@stormingmedia[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads2.newtimes[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@view.atdmt[10].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@sales.liveperson[8].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.adgarden[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@hc2.humanclick[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ehg-pcsecurityshield.hitbox[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@qksrv[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@view.atdmt[11].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@view.atdmt[9].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@verizonmci.122.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@shopping.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wjlowpd5mfo.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@tremor.adbureau[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@accountonline[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wjnyalczsbo.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.adtrak[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wjl4wmd5iao.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@view.atdmt[6].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@techfinder.theinquirer[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@toplist[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@embarq.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@s.clickability[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@socialmedia[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@mediablvd.us.intellitxt[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wjny-1mc5sg.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www1.addfreestats[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@m3.tradersmedia[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@superstats[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@adt.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wjmisncjgao.stats.esomniture[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wfmicjdzahq.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@mikonjalat.tripod[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.cluster02.oasis.zmh.zope[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.cnn[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@robsstation.tripod[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@CALI0ENV.txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wjk4sidjchq.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@xiti[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@medhelpinternational.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@view.atdmt[7].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@adserver3.teracent[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@directtrack[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wfk4wjazsco.stats.esomniture[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wgkislczkgp.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@eyewonder[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@m1.webstats.motigo[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@cbs.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@server.iad.liveperson[3].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@bellsouth.mediaroom[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@revenue[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@incentaclick[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@media-bucket[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@media.www.wkuherald[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@valueclick[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.pointroll[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.w3counter[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@server.iad.liveperson[7].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@safaribooks.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.bridgetrack[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads3.blastro[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@eas.apm.emediate[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@redorbit[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@traffic.buyservices[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wjmywhd5gfo.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@anheuserbusch.122.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@counter.auctionworks[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@dvdtracker[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wjnyqmd5afp.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wjlyelcpmdo.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@inteletrack[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@CAIRD3WZ.txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@banners.guns[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.realtechnetwork[3].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wflosjcjggp.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@view.atdmt[4].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@metacafe.122.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ipoint.targetpoint[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ar.atwola[4].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@media.www.dailypennsylvanian[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@partners.tattomedia[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@he.valueclick[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@rismedia[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@CA0C794M.txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@webstat[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ad.uk.tangozebra[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@nebuad.adjuggler[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@gunshopfinder[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@uk.sitestat[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@stats.sphere[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@palmone.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads2.drivelinemedia[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@track.websitetrafficreport[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wjkychcpsco.stats.esomniture[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wjnygmdjogo.stats.esomniture[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6walyalc5geo.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@nextag.co[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@viamtvcom.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ebsco.122.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@trafficcenter[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@tracking.citibank[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@optimize.indieclick[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.clickfln[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ar.atwola[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@goodforthecountry[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@123stat[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@gaycollegesexparties[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads4.blastro[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wjkoulazalo.stats.esomniture[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ad1.clickhype[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@stolenpornpasswords[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@store.hillarynutcracker[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@123count[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@blethenmaine.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.gmodules[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.associatedcontent[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@server.iad.liveperson[8].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wfkoqpcjgdq.stats.esomniture[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@richmedia.yahoo[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wfmiwhdjmhp.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.drivecleaner[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.gmodules[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wfkiqoczebo.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@gcc-00.googleadservices[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.adservtech[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@bravenet[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.gaycollegesexparties[3].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.gaycollegesexparties[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.swiftnews[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@collective-media[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.incentaclick[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@us.2.cqcounter[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@CALWGOQX.txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@media6degrees[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@counter.inkfrog[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@service.tremormedia[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@data2.perf.overture[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@server.iad.liveperson[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@govtrack[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@CAR9AZVU.txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@media.zoominfo[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@5.go.globaladsales[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@bannerads.zwire[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wjnyuhdjilp.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@heavycom.122.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@clicks.falconstudios[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.think-adz[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.lamarcounty[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@multiply.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@2.adbrite[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@app.insightgrit[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.findlaw[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.advertising365[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@flagcounter[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@cache.trafficmp[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@nandomedia[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@underarmour.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@findlaw[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@iad.liveperson[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.ak.facebook[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@click2houston[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@clicktorrent[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.click2houston[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@CAYD35BW.txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.cluster01.oasis.zmh.zope[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.enhanced911[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@1.adbrite[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.techguy[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@buycom.122.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.telegraph.co[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@lulu.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@newstat[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@CAR0FSW6.txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@media.medhelp[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.joinaxxess[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@leeenterprises.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@interclick[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@primediamags[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@sevenloadgmbh.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@media.mtvnservices[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@CAWDJK2O.txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@server.iad.liveperson[5].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@server.iad.liveperson[9].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@tagiq.clickforensics[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads2.blastro[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wgk4kicjcap.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.stormingmedia[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@upi.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@meetupcom.122.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@trafficbiz[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@popunderadvertise[3].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www3.addfreestats[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@dl2.ads2media[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.ocolly[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@media.chicagoreader[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wfkiekcpaco.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.vlaze[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.financialcontent[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@adserver.adreactor[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wfkikpazwaq.stats.esomniture[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@teenidols4you[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wbmywpdzmao.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@server.iad.liveperson[10].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@CAOG3JOF.txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wjl4kjcjodo.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@tracker.icerocket[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@511tactical.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.teenidols4you[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@saxotoledo.122.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.googleadservices[6].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@82.98.235[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@findwhat[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@neocounter.neoworx-blog-tools[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.googleadservices[4].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@traffic-tracker[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@antispyspider[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ad.flux[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.poweradvertising[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@iacas.adbureau[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@philips.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads5.think-adz[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@flagcounter[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.advertyz[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@gcc-06.googleadservices[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@server.iad.liveperson[6].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@adserver.ammgroup[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@lynxtrack[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@dga.specificclick[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@toseeka[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@digg.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@track.trackads[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.active[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.trutv[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@maxserving[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ad.lookery[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@CAXMXJS3.txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.yourhitstats[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@public.findlaw[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.googleadservices[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@e-2dj6wgkicgazmap.stats.esomniture[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@cpvfeed[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.countmypage[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.stormingmedia[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@iad.liveperson[3].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@server.iad.liveperson[4].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@wolverineworldwide.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.googleadservices[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@CA0IZLS4.txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@swidget.wjadserver[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@adserver9[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@banners.thestranger[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@rotator.its.adjuggler[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@exitexchange[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@flagcounter[3].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@sales.liveperson[3].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@edd.lamarcounty[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@adserver.brownpublishing[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@bizjournals.112.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www6.addfreestats[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@new.addfreestats[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@torstardigital.122.2o7[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@www.elite-electronix[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@focalex[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@servedby.adxpower[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@stats.adbrite[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@ads.adbrite[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@anat.tacoda[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@porntube[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@adultfriendfinder[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@t4.trackalyzer[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@fastclick[2].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@popunderadvertise[1].txt
C:\Documents and Settings\Chad Benoit\Cookies\chad@serving-sys[2].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone else@atdmt[2].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone else@azjmp[2].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone else@doubleclick[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone else@login.tracking101[2].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone else@mediaplex[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@2.adbrite[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@2o7[2].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@ad.yieldmanager[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@adbrite[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@adecn[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@adlegend[2].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@adopt.euroclick[2].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@adopt.specificclick[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@adrevolver[2].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@ads.adbrite[2].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@ads.cluster02.oasis.zmh.zope[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@ads.cnn[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@ads.pointroll[2].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@ads.revsci[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@adserver.easyad[2].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@adserving.autotrader[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@advertising[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@atwola[2].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@bluestreak[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@burstnet[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@casalemedia[2].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@collective-media[2].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@counter.hitslink[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@cpvfeed[2].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@dominionenterprises.112.2o7[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@ehg-traderpublishing.hitbox[2].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@ehg-youtube.hitbox[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@ehg-zvents.hitbox[2].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@electronicarts.112.2o7[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@fastclick[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@hitbox[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@imrworldwide[2].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@insightexpressai[2].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@interclick[2].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@kontera[2].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@media.adrevolver[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@media.adrevolver[3].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@media.mtvnservices[2].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@media6degrees[2].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@optimize.indieclick[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@overture[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@partner2profit[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@pro-market[2].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@questionmarket[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@realmedia[2].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@revenue[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@revsci[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@rocku.adbureau[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@serving-sys[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@specificclick[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@statcounter[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@tradedoubler[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@trafficmp[2].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@tribalfusion[2].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@tripod.lycos[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@tripod[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@www.burstnet[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@www.googleadservices[1].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@www.googleadservices[2].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@www.googleadservices[3].txt
C:\Documents and Settings\Everyone Else\Cookies\everyone_else@zedo[1].txt

Adware.Lop-Variant
C:\DOCUMENTS AND SETTINGS\CHAD BENOIT\APPLICATION DATA\GLOBAL FLAG\BYTE BIAS BEEP.EXE
C:\DOCUMENTS AND SETTINGS\CHAD BENOIT\APPLICATION DATA\GLOBAL FLAG\GPL ENC.EXE
C:\DOCUMENTS AND SETTINGS\CHAD BENOIT\APPLICATION DATA\GLOBAL FLAG\XETLOKRE.EXE

Rogue.Multi-Dropper/Installer
C:\QOOBOX\QUARANTINE\C\WINDOWS\LFN.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WMSDKNS.EXE.VIR

Adware.Adservs
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\1036A\ADXPARSDLL.EXE.VIR
C:\WINDOWS\Q2HHZCBCZW5VAXQ\ASAPPSRV.DLL

Trojan.Downloader-FakeRX
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\EGMULHXK.DLL.VIR

Trojan.Unclassified/BrowserDriver
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\JPWNW64J.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\RWWNW64D.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WINREM\XMAPI2PI.EXE.VIR

Trojan.Unclassified/LPCYWINP
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\LPCYWINP.EXE.VIR

Rootkit.TNCore-Installer
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\MUI2\GI-DOT4C.EXE.VIR

Unclassified.Unknown Origin
C:\WINDOWS\Q2HHZCBCZW5VAXQ\COMMAND.EXE

Trojan.Unknown Origin
C:\WINDOWS\Q2HHZCBCZW5VAXQ\KZ11TF1FTQCSURK.VBS

Adware.Look2Me
C:\WINDOWS\SYSTEM32\UPDINST.EXE

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:25 PM

Posted 16 May 2008 - 02:01 AM

Looks good. Please post one more log from DSS.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 chadwickms

chadwickms
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 16 May 2008 - 08:42 AM

I hope so...I did a kaspersky scan last night while I was waiting to hear back from you, and it found a few things. May I post the log from that?

Here is the DSS log file you requested:

Deckard's System Scanner v20071014.68
Run by chad on 2008-05-16 08:31:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 0.6 GiB (less than 15%) free.


-- HijackThis (run as chad.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:31:34 AM, on 5/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint 3.0\Bin\LPSVS03N.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$WLAUSERPROFILE\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Chad Benoit\Desktop\dss.exe
C:\WINDOWS\SoftwareDistribution\Download\Install\Windows-KB890830-V1.41.exe
c:\4c22965a87c39b604c53145ce1\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\DOCUME~1\CHADBE~1\Desktop\chad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.accountonline.com
O15 - Trusted Zone: *.army.mil
O15 - Trusted Zone: citi.bridgetrack.com
O15 - Trusted Zone: www.c21eei.com
O15 - Trusted Zone: www.citi.com
O15 - Trusted Zone: *.citibank.com
O15 - Trusted Zone: support.dell.com
O15 - Trusted Zone: http://www.denversignsupply.com
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: rad.msn.com
O15 - Trusted Zone: http://www.rci.rutgers.edu
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://192.168.1.4/ConnectComputer/nshelp.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/Facebo...toUploader2.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1147323092281
O16 - DPF: {6F0C8A84-8B0D-11D2-801B-00105AA78F4A} (CobAgent4 Class) - http://ecare4a.netopia.com/techsupport/eca...t_4.2.1.314.cab
O16 - DPF: {6F0C8A85-8B0D-11D2-801B-00105AA78F4A} (CobAgent4 Class) - http://ecare4a.netopia.com/techsupport/eca...t_4.2.1.316.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://192.168.1.4/Remote/msrdp.cab
O16 - DPF: {7873B468-E762-4143-83E6-7258CB6B5D9D} (ECareAgent Class) - http://ecare4a.netopia.com/techsupport/eca.../ECareAgent.cab
O16 - DPF: {B82FA17C-F3A9-11D2-B5DD-0050041B7FF6} (SAXFile FileDownload ActiveX Control) - http://www.merrillshop.com/SAXFile.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: EPrint III Service - Unknown owner - C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint 3.0\Bin\LPSVS03N.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7831 bytes

-- Files created between 2008-04-16 and 2008-05-16 -----------------------------

2008-05-16 08:31:15 0 d-------- C:\4c22965a87c39b604c53145ce1
2008-05-15 08:27:44 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-15 08:25:40 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-15 08:25:40 0 d-------- C:\Documents and Settings\Chad Benoit\Application Data\SUPERAntiSpyware.com
2008-05-15 08:12:06 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-05-15 08:08:53 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-13 17:34:16 68096 --a------ C:\WINDOWS\zip.exe
2008-05-13 17:34:16 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-13 17:34:16 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-13 17:34:16 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-13 17:34:16 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-13 17:34:16 98816 --a------ C:\WINDOWS\sed.exe
2008-05-13 17:34:16 80412 --a------ C:\WINDOWS\grep.exe
2008-05-13 17:34:16 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-12 23:51:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-12 23:51:45 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-11 23:41:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-11 18:21:24 0 d-------- C:\!KillBox
2008-05-11 17:04:50 0 d-------- C:\Documents and Settings\Chad Benoit\.housecall6.6
2008-05-11 16:56:19 0 d-------- C:\desktopclean
2008-05-11 15:32:10 0 d--hs---- C:\WINDOWS\Q2hhZCBCZW5vaXQ
2008-05-11 15:31:42 0 d-------- C:\Temp
2008-05-03 18:49:15 0 d-------- C:\Documents and Settings\Everyone Else\Application Data\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-05-15 08:08:53 0 d-------- C:\Program Files\Common Files
2008-05-11 16:43:16 0 d-------- C:\Documents and Settings\Chad Benoit\Application Data\uTorrent
2008-05-11 15:46:29 0 d-------- C:\Documents and Settings\Chad Benoit\Application Data\Apple Computer
2008-05-11 15:45:34 0 d-------- C:\Program Files\Digital Line Detect
2008-04-19 00:04:50 0 d-------- C:\Program Files\Simjack
2008-04-09 01:02:48 1994 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-09 01:02:48 56 -r-hs---- C:\WINDOWS\system32\8AE0345646.sys
2008-03-22 12:52:31 0 d-------- C:\Program Files\Safari
2008-03-22 12:49:22 0 d-------- C:\Program Files\iTunes
2008-03-22 12:49:09 0 d-------- C:\Program Files\iPod
2008-03-22 12:47:54 0 d-------- C:\Program Files\QuickTime
2008-03-19 22:13:16 0 d-------- C:\Documents and Settings\Chad Benoit\Application Data\Real


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [06/24/2005 07:36 AM]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [09/01/2005 06:24 PM]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [05/10/2007 11:22 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/29/2008 04:03 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [1/5/2006 12:33:57 PM]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [12/17/2002 6:23:32 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"NoActiveDesktopChanges"=00000000
"NoActiveDesktop"=0 (0x0)
"NoSaveSettings"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=01000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Chad Benoit^Start Menu^Programs^Accessories^Startup^Deewoo.lnk]
path=C:\Documents and Settings\Chad Benoit\Start Menu\Programs\Accessories\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Chad Benoit^Start Menu^Programs^Accessories^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Chad Benoit\Start Menu\Programs\Accessories\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc
bthsvcs BthServ

*Newly Created Service* - SASDIFSV



-- End of Deckard's System Scanner: finished at 2008-05-16 08:32:14 ------------

Thanks :thumbsup:

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:25 PM

Posted 16 May 2008 - 08:51 AM

Go ahead and delete this folder.

C:\WINDOWS\Q2hhZCBCZW5vaXQ


And post that log from Kaspersky. I'm guessing anything that it found is in system restore or already quarantined, but let's be sure.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 chadwickms

chadwickms
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 16 May 2008 - 08:55 AM

Here is the kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, May 15, 2008 9:32:36 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/05/2008
Kaspersky Anti-Virus database records: 776903
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 73801
Number of viruses found: 16
Number of infected objects: 24
Number of suspicious objects: 46
Duration of the scan process: 01:07:19

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak16.zip/kvnab$.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak16.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak2.zip/kvnab$.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak21.zip/hcwprn.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak21.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak24.zip/cbinst$.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak24.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak33.zip/wbeInst$.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak33.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak38.zip/cbinst$.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak38.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak44.zip/kvnab$.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak44.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak5.zip/wbeInst$.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak5.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak52.zip/cbinst$.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak52.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak58.zip/kvnab$.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak58.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak66.zip/cbinst$.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak66.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip/wml.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC39.zip/vxddsk.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC39.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp100.zip/liqui.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp100.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp11.zip/kkcomp$.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp11.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp137.zip/liqad$.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp137.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp149.zip/vxddsk.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp149.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp189.zip/xxxvideo.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp189.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp54.zip/liqad$.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp54.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp56.zip/liqad.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp56.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp63.zip/xxxvideo.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp63.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp65.zip/vxddsk.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp65.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp94.zip/kkcomp.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp94.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Chad Benoit\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-1181d259-3a3ab97f.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Chad Benoit\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-1181d259-3a3ab97f.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Chad Benoit\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-5-15-2008( 20-8-43 ).LOG Object is locked skipped
C:\Documents and Settings\Chad Benoit\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\Microsoft\Outlook Express\Sent Items.dbx/[From "Chad Benoit" <chadwickbt@bellsouth.net>][Date Tue, 21 Nov 2006 09:00:10 -0600]/eicar.com Infected: EICAR-Test-File skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\Microsoft\Outlook Express\Sent Items.dbx/[From "Chad Benoit" <chadwickbt@bellsouth.net>][Date Tue, 21 Nov 2006 09:03:39 -0600]/eicar.com.zip Infected: EICAR-Test-File skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\Microsoft\Outlook Express\Sent Items.dbx MailMSOutlook5: infected - 2 skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Chad Benoit\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Chad Benoit\Local Settings\History\History.IE5\MSHist012008051520080516\index.dat Object is locked skipped
C:\Documents and Settings\Chad Benoit\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Chad Benoit\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Chad Benoit\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$RETSDATA\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$RETSDATA\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$RETSDATA\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$RETSDATA\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$RETSDATA\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$RETSDATA\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$RETSDATA\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$WLAUSERPROFILE\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$WLAUSERPROFILE\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$WLAUSERPROFILE\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$WLAUSERPROFILE\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$WLAUSERPROFILE\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$WLAUSERPROFILE\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$WLAUSERPROFILE\LOG\ERRORLOG Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\QooBox\Quarantine\C\WINDOWS\b2new.exe.vir Infected: Trojan-Downloader.Win32.Agent.otg skipped
C:\QooBox\Quarantine\C\WINDOWS\fkwggshm.exe.vir Infected: Trojan.Win32.VB.azo skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dFrnx06\dFrnx061083.exe.vir Infected: Trojan-Downloader.Win32.VB.ehl skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\g50.exe.vir/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\g50.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\g50.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kablkiga.dll.vir Infected: Trojan.Win32.Monder.eb skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\sockins32.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.awz skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\spoolX\NsDatdsrv.exe.vir/stream/data0007/stream/Script Infected: Trojan.NSIS.StartPage.c skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\spoolX\NsDatdsrv.exe.vir/stream/data0007/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\spoolX\NsDatdsrv.exe.vir/stream/data0007 Infected: Trojan.NSIS.StartPage.c skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\spoolX\NsDatdsrv.exe.vir/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\spoolX\NsDatdsrv.exe.vir NSIS: infected - 4 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\uyjcefel.dll_old.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.rkn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xxyVOhIX.dll.vir Infected: Trojan.Win32.Zapchast.gb skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{6AF91CAE-2AC5-44E8-8D7D-3603E3019450}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\0.1396601.exe Infected: Trojan-Downloader.Win32.VB.bzi skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\NetLimit.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_520.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_59c.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_624.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:25 PM

Posted 17 May 2008 - 08:17 AM

There are a few things that Kaspersky found that we should clean up.

First, delete this file.

C:\WINDOWS\system32\0.1396601.exe


Then open up Outlook Express and go to your sent items folder. Delete the infected emails from Nov 2006. Then make sure you delete them out of your deleted items folder so they're totally gone.



You are running an older version of Java. This can be a security risk so let's get you the latest version.
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

The rest of it is false positives and files already quarantined.
Let me know how it goes.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 chadwickms

chadwickms
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 19 May 2008 - 10:46 PM

Everything is going great. Thanks a bunch! :thumbsup:
Should I delete files/empty quarantine so I don't get more false positives?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users