Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojandowloader: Win32/Unruy.D (fixes I have found don't work)


  • This topic is locked This topic is locked
10 replies to this topic

#1 gho100

gho100

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 22 June 2010 - 11:07 AM

I am running a Dell Inspiron 710M, which I know is old, but I don't have the $$ for a new laptop right now.

OS: Windows XP Home 2002, SP3

Issue: Microsoft Security Essentials detects "Trojandownloader: Win32/Unruy.D" every time I start. Tries to remove, but sometimes encounters and error:

"Microsoft Security Essentials encountered the following error: Error code 0x80070102. The wait operation timed out. "

Normally:

"Category: Trojan Downloader

Description: This program is dangerous and downloads other programs.

Recommendation: Remove this software immediately.

Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the 'Allow' action and click 'Apply actions'. If this option is not available, log on as administrator or ask the local administrator for help.

Items:
file:C:System Volume InformationMicrosoftservices.exe "

Programs I have run:
ESET Online scanner
MBAM
Ad-Aware
Spybot S&D
Avast
TDSS Rootkill
CCleaner
I have also run MBAM in safe mode, no results.

Every time I start the computer, MSE finds the same threat, and asks me to restart.

I have disabled the system recovery, and removed the common Registry entries I could find associated with "Unruy" including "arcotray .exe"

Could use some guidance, please!!

Thanks in advance!

EDIT: Moved from XP to Am I Infected forum ~ Hamluis.

I don't see the ability to edit my first post, so here's the DDS log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by GHO at 19:13:27.57 on Sun 08/22/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.494.109 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
c:Program FilesMicrosoft Security EssentialsMsMpEng.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
C:WINDOWSsystem32svchost.exe -k WudfServiceGroup
C:Program FilesIntelWirelessBinEvtEng.exe
C:Program FilesIntelWirelessBinS24EvMon.exe
C:Program FilesIntelWirelessBinWLKeeper.exe
svchost.exe
svchost.exe
C:WINDOWSsystem32ZoneLabsvsmon.exe
C:Program FilesAlwil SoftwareAvast5AvastSvc.exe
C:WINDOWSsystem32spoolsv.exe
svchost.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesIntelWirelessBinRegSrvc.exe
C:Program FilesSolutoSolutoService.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
c:WINDOWSsystem32ZuneBusEnum.exe
c:WINDOWSsystem32ZuneWlanCfgSvc.exe
C:Program FilesSolutosoluto.exe
C:WINDOWSExplorer.EXE
C:Program FilesIntelWirelessbinZCfgSvc.exe
C:Program FilesIntelWirelessBinifrmewrk.exe
C:WINDOWSsystem32ICO.EXE
C:Program FilesSynapticsSynTPSynTPEnh.exe
C:Program FilesMicrosoft IntelliPointipoint.exe
C:WINDOWSsystem32igfxpers.exe
C:Program FilesMicrosoft OfficeOffice12GrooveMonitor.exe
C:WINDOWSsystem32igfxsrvc.exe
C:Program FilesZone LabsZoneAlarmzlclient.exe
c:Program FilesMicrosoft IntelliPointdpupdchk.exe
C:Program FilesMicrosoft Security Essentialsmsseces.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesIntelWirelessBinDot1XCfg.exe
E:dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=c:windowssystem32userinit.exe,c:program filessolutosoluto.exe /userinit
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:progra~1spybot~1SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:program filesmicrosoft officeoffice12GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:program filescommon filesmicrosoft sharedwindows liveWindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
mRun: [<NO NAME>]
mRun: [IntelZeroConfig] "c:program filesintelwirelessbinZCfgSvc.exe"
mRun: [IntelWireless] "c:program filesintelwirelessbinifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [PMX Daemon] ICO.EXE
mRun: [SynTPEnh] c:program filessynapticssyntpSynTPEnh.exe
mRun: [IntelliPoint] "c:program filesmicrosoft intellipointipoint.exe"
mRun: [igfxhkcmd] c:windowssystem32hkcmd.exe
mRun: [igfxpers] c:windowssystem32igfxpers.exe
mRun: [GrooveMonitor] "c:program filesmicrosoft officeoffice12GrooveMonitor.exe"
mRun: [SPC610NC_Monitor] c:windowsphilipsspc610ncMonitor.exe
mRun: [ZoneAlarm Client] "c:program fileszone labszonealarmzlclient.exe"
mRun: [MSSE] "c:program filesmicrosoft security essentialsmsseces.exe" -hide -runkey
mRun: [igfxtray] c:windowssystem32igfxtray.exe
dRun: [DWQueuedReporting] "c:progra~1common~1micros~1dwdwtrig20.exe" -t
dRun: [pqkrdltv] c:documents and settingsnetworkservicelocal settingsapplication dataqtdmbvrqcugefwpttssd.exe
IE: E&xport to Microsoft Excel - c:progra~1micros~4office12EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:progra~1micros~4office12ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~4office12REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:progra~1spybot~1SDHelper.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {F92211F4-3913-4DC2-A275-756374D848B0} - hxxp://10.0.0.2:820/MP4DVR.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:program filesmicrosoft officeoffice12GrooveSystemServices.dll
Notify: !SASWinLogon - c:program filessuperantispywareSASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:windowssystem32NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:program filesmicrosoft officeoffice12GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:program filessuperantispywareSASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:docume~1ghoapplic~1mozillafirefoxprofilesgbt1grt8.default
FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com
FF - plugin: c:program filesgoogleupdate1.2.183.29npGoogleOneClick8.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpbittorrent.dll
FF - plugin: c:program filesmozilla firefoxpluginsNPTURNMED.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_colors", true);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_popup_windows", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.enable_click_image_resizing", true);
c:program filesmozilla firefoxgreprefsall.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.high_water_mark", 32);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.gc_frequency", 1600);
c:program filesmozilla firefoxgreprefsall.js - pref("network.auth.force-generic-ntlm", false);
c:program filesmozilla firefoxgreprefsall.js - pref("svg.smil.enabled", false);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.trackpoint_hack.enabled", -1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.debug", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.agedWeight", 2);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.bucketSize", 1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.maxTimeGroupings", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.timeGroupingSize", 604800);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.boundaryWeight", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.prefixWeight", 5);
c:program filesmozilla firefoxgreprefsall.js - pref("html5.enable", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("lightweightThemes.update.enabled", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.allTabs.previews", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("plugins.update.notifyUser", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("toolbar.customization.usesheet", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.enable", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.max", 20);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:windowssystem32driversaswSP.sys [2010-6-21 164048]
R1 MpFilter;Microsoft Malware Protection Driver;c:windowssystem32driversMpFilter.sys [2009-12-2 151216]
R1 SASDIFSV;SASDIFSV;c:program filessuperantispywaresasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:program filessuperantispywareSASKUTIL.SYS [2010-5-10 67656]
R1 vsdatant;vsdatant;c:windowssystem32vsdatant.sys [2009-3-25 353672]
R2 aswFsBlk;aswFsBlk;c:windowssystem32driversaswFsBlk.sys [2010-6-21 19024]
R2 avast! Antivirus;avast! Antivirus;c:program filesalwil softwareavast5AvastSvc.exe [2010-6-21 40384]
R2 fssfltr;FssFltr;c:windowssystem32driversfssfltr_tdi.sys [2009-3-21 55152]
R2 SolutoService;Soluto PCGenome Core Service;c:program filessolutoSolutoService.exe [2010-6-17 338464]
R2 vsmon;TrueVector Internet Monitor;c:windowssystem32zonelabsvsmon.exe -service --> c:windowssystem32zonelabsvsmon.exe -service [?]
S0 Lbd;Lbd;c:windowssystem32driverslbd.sys --> c:windowssystem32driversLbd.sys [?]
S0 PCGenFAM;PCGenFAM;c:windowssystem32driversPCGenFAM.sys [2010-6-21 179656]
S1 SABKUTIL;SABKUTIL;??c:program filessuperantispywaresabkutil.sys --> c:program filessuperantispywareSABKUTIL.sys [?]
S2 Ca536av;FashionCam Video Camera Device;c:windowssystem32driversca536av.sys --> c:windowssystem32driversCa536av.sys [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:program filesalwil softwareavast5AvastSvc.exe [2010-6-21 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:program filesalwil softwareavast5AvastSvc.exe [2010-6-21 40384]
S3 fsssvc;Windows Live Family Safety;c:program fileswindows livefamily safetyfsssvc.exe [2009-2-6 533360]
S3 gupdate;Google Update Service (gupdate);c:program filesgoogleupdateGoogleUpdate.exe [2010-2-1 135664]
S3 SPC610NC;SPC 610NC Laptop Camera;c:windowssystem32driversSPC610NC.SYS [2007-1-19 409728]

=============== Created Last 30 ================

2010-08-20 02:41:54 744448 -c----w- c:windowssystem32dllcachehelpsvc.exe

==================== Find3M ====================

2010-06-30 12:31:35 149504 ----a-w- c:windowssystem32schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:windowssystem32wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:windowssystem32win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:windowssystem32iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:windowssystem32msxml3.dll
2010-06-01 17:37:48 221568 ------w- c:windowssystem32MpSigStub.exe

============= FINISH: 19:15:09.68 ===============

GMER:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-23 17:34:34
Windows 5.1.2600 Service Pack 3
Running: qvp6i74o.exe; Driver: C:\DOCUME~1\GHO\LOCALS~1\Temp\pxtdqpow.sys

---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEE90FC7A]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xEEAF4FC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xEEAF1C80]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xEE90FB36]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xEEAF5580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xEEB09900]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xEEB09B10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xEEB0DB10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xEEAF5670]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xEEAF2210]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xEE9100EA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEE910014]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xEEB09280]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xEEB0CF10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xEEB0CF90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xEEAF2070]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEE90FC10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xEEB0B180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xEEB0AF40]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEE90FD30]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xEE9101B8]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xEEB0D150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xEEAF4BE0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEE90FCF0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xEEAF5190]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xEEAF2440]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xEE90FE70]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xEEB0A200]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEE9D3620]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xEE91CA24]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2770 12 Bytes [80, 55, AF, EE, 00, 99, B0, ...] {ADC BYTE [EBP-0x51], 0xee; ADD [ECX-0x64ef1150], BL; MOV AL, 0xee}
PAGE ntoskrnl.exe!ObInsertObject 8056503A 5 Bytes JMP EE919EC2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 8059F8CA 5 Bytes JMP EE918536 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwLoadDriver 805A3B73 7 Bytes JMP EE91CA28 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
? srescan.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2216] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2216] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2216] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2216] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2216] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2216] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2216] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2216] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2216] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2736] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2736] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2736] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2736] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2736] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2736] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2736] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2736] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2736] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2736] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2736] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2736] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2736] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2736] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [EEAF9B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [EEAF9930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [EEAFA260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [EEAF7E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [EEAF7E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [EEAF9B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [EEAF9930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [EEAFA260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [EEAF9B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [EEAF7E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [EEAFA260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [EEAF9930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [EEAFA260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [EEAF9930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [EEAF9B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [EEAF7E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [EEAF9B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [EEAF9930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [EEAFA260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [EEB12B30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [EEAFA260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [EEAF9930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [EEAF7E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [EEAF9B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [EEAF9B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [EEAF7E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [EEAFA260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [EEAF9930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [EEAF28D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [EEAF2A80] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [EEAF25E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [EEAF2980] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[892] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[892] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2736] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \FileSystem\Fastfat \Fat ECFFED20
Device \FileSystem\Fastfat \Fat ED0029F2

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- EOF - GMER 1.0.15 ----


MBAM:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4052

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

6/20/2010 6:35:00 PM
mbam-log-2010-06-20 (18-35-00).txt

Scan type: Full scan (C:\|)
Objects scanned: 174296
Time elapsed: 1 hour(s), 23 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pqkrdltv (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\NetworkService\Local Settings\Application Data\qtdmbvrqc\ugefwpttssd.exe (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.




SUPERantispyware:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/22/2010 at 09:05 PM

Application Version : 4.39.1002

Core Rules Database Version : 5106
Trace Rules Database Version: 2918

Scan type : Complete Scan
Total Scan Time : 02:41:02

Memory items scanned : 243
Memory threats detected : 0
Registry items scanned : 7389
Registry threats detected : 4
File items scanned : 61028
File threats detected : 512

Adware.Tracking Cookie
C:\Documents and Settings\GHO\Cookies\gho@eas.apm.emediate[1].txt
C:\Documents and Settings\GHO\Cookies\system@imrworldwide[2].txt
C:\Documents and Settings\GHO\Cookies\system@ads.gamersmedia[1].txt
C:\Documents and Settings\GHO\Cookies\gho@advertise[1].txt
C:\Documents and Settings\GHO\Cookies\gho@msnportal.112.2o7[1].txt
C:\Documents and Settings\GHO\Cookies\system@adx.bidsystem[1].txt
C:\Documents and Settings\GHO\Cookies\system@dmtracker[1].txt
C:\Documents and Settings\GHO\Cookies\gho@specificmedia[1].txt
C:\Documents and Settings\GHO\Cookies\gho@ad.yieldmanager[2].txt
C:\Documents and Settings\GHO\Cookies\system@pointroll[1].txt
C:\Documents and Settings\GHO\Cookies\gho@revsci[2].txt
C:\Documents and Settings\GHO\Cookies\system@media6degrees[2].txt
C:\Documents and Settings\GHO\Cookies\gho@ads.fleshbot[1].txt
C:\Documents and Settings\GHO\Cookies\system@revsci[1].txt
C:\Documents and Settings\GHO\Cookies\system@atwola[1].txt
C:\Documents and Settings\GHO\Cookies\gho@bizzclick[1].txt
C:\Documents and Settings\GHO\Cookies\system@eas.apm.emediate[2].txt
C:\Documents and Settings\GHO\Cookies\system@atdmt[1].txt
C:\Documents and Settings\GHO\Cookies\system@invitemedia[2].txt
C:\Documents and Settings\GHO\Cookies\system@rotator.adjuggler[1].txt
C:\Documents and Settings\GHO\Cookies\system@serving-sys[2].txt
C:\Documents and Settings\GHO\Cookies\gho@zanox[2].txt
C:\Documents and Settings\GHO\Cookies\system@lucidmedia[1].txt
C:\Documents and Settings\GHO\Cookies\gho@content.yieldmanager[1].txt
C:\Documents and Settings\GHO\Cookies\system@ads.cellfish[1].txt
C:\Documents and Settings\GHO\Cookies\gho@at.atwola[2].txt
C:\Documents and Settings\GHO\Cookies\gho@adtech[1].txt
C:\Documents and Settings\GHO\Cookies\system@ads.pointroll[1].txt
C:\Documents and Settings\GHO\Cookies\system@ads.xapads[2].txt
C:\Documents and Settings\GHO\Cookies\system@bridge2.admarketplace[1].txt
C:\Documents and Settings\GHO\Cookies\system@ads.bridgetrack[1].txt
C:\Documents and Settings\GHO\Cookies\gho@invitemedia[1].txt
C:\Documents and Settings\GHO\Cookies\system@at.atwola[1].txt
C:\Documents and Settings\GHO\Cookies\gho@ads.verticalscope[2].txt
C:\Documents and Settings\GHO\Cookies\system@insightexpressai[1].txt
C:\Documents and Settings\GHO\Cookies\gho@ads.christianpost[2].txt
C:\Documents and Settings\GHO\Cookies\gho@ad.wsod[2].txt
C:\Documents and Settings\GHO\Cookies\gho@tacoda[1].txt
C:\Documents and Settings\GHO\Cookies\system@adecn[1].txt
C:\Documents and Settings\GHO\Cookies\system@advertise[1].txt
C:\Documents and Settings\GHO\Cookies\system@legolas-media[2].txt
C:\Documents and Settings\GHO\Cookies\system@counter.surfcounters[1].txt
C:\Documents and Settings\GHO\Cookies\system@bs.serving-sys[2].txt
C:\Documents and Settings\GHO\Cookies\system@tacoda[2].txt
C:\Documents and Settings\GHO\Cookies\gho@adbrite[2].txt
C:\Documents and Settings\GHO\Cookies\system@bizzclick[2].txt
C:\Documents and Settings\GHO\Cookies\system@kontera[1].txt
C:\Documents and Settings\GHO\Cookies\system@questionmarket[1].txt
C:\Documents and Settings\GHO\Cookies\gho@adecn[1].txt
C:\Documents and Settings\GHO\Cookies\system@ads.us.e-planning[1].txt
C:\Documents and Settings\GHO\Cookies\system@admarketplace[1].txt
C:\Documents and Settings\GHO\Cookies\system@tribalfusion[2].txt
C:\Documents and Settings\GHO\Cookies\system@content.yieldmanager[3].txt
C:\Documents and Settings\GHO\Cookies\system@dodtracker[1].txt
C:\Documents and Settings\GHO\Cookies\system@content.yieldmanager[1].txt
C:\Documents and Settings\GHO\Cookies\system@citi.bridgetrack[1].txt
C:\Documents and Settings\GHO\Cookies\system@advertising[2].txt
C:\Documents and Settings\GHO\Cookies\gho@media6degrees[2].txt
C:\Documents and Settings\GHO\Cookies\gho@adx.bidsystem[1].txt
C:\Documents and Settings\GHO\Cookies\gho@adxpose[1].txt
C:\Documents and Settings\GHO\Cookies\system@bannertgt[1].txt
C:\Documents and Settings\GHO\Cookies\gho@specificclick[2].txt
convoad.technoratimedia.com [ C:\Documents and Settings\GHO\Application Data\Macromedia\Flash Player\#SharedObjects\Q7GAPKVQ ]
core.insightexpressai.com [ C:\Documents and Settings\GHO\Application Data\Macromedia\Flash Player\#SharedObjects\Q7GAPKVQ ]
media.mtvnservices.com [ C:\Documents and Settings\GHO\Application Data\Macromedia\Flash Player\#SharedObjects\Q7GAPKVQ ]
media1.break.com [ C:\Documents and Settings\GHO\Application Data\Macromedia\Flash Player\#SharedObjects\Q7GAPKVQ ]
secure-us.imrworldwide.com [ C:\Documents and Settings\GHO\Application Data\Macromedia\Flash Player\#SharedObjects\Q7GAPKVQ ]
vidii.hardsextube.com [ C:\Documents and Settings\GHO\Application Data\Macromedia\Flash Player\#SharedObjects\Q7GAPKVQ ]
www.mofosex.com [ C:\Documents and Settings\GHO\Application Data\Macromedia\Flash Player\#SharedObjects\Q7GAPKVQ ]
www.pornhub.com [ C:\Documents and Settings\GHO\Application Data\Macromedia\Flash Player\#SharedObjects\Q7GAPKVQ ]
.collective-media.net [ C:\Documents and Settings\GHO\Application Data\Mozilla\Firefox\Profiles\gbt1grt8.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\GHO\Application Data\Mozilla\Firefox\Profiles\gbt1grt8.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\GHO\Application Data\Mozilla\Firefox\Profiles\gbt1grt8.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\GHO\Application Data\Mozilla\Firefox\Profiles\gbt1grt8.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\GHO\Application Data\Mozilla\Firefox\Profiles\gbt1grt8.default\cookies.sqlite ]
.kaspersky.122.2o7.net [ C:\Documents and Settings\GHO\Application Data\Mozilla\Firefox\Profiles\gbt1grt8.default\cookies.sqlite ]
.bizzclick.com [ C:\Documents and Settings\GHO\Application Data\Mozilla\Firefox\Profiles\gbt1grt8.default\cookies.sqlite ]
.advertise.com [ C:\Documents and Settings\GHO\Application Data\Mozilla\Firefox\Profiles\gbt1grt8.default\cookies.sqlite ]
.tribalfusion.com [ C:\Documents and Settings\GHO\Application Data\Mozilla\Firefox\Profiles\gbt1grt8.default\cookies.sqlite ]
.media6degrees.com [ C:\Documents and Settings\GHO\Application Data\Mozilla\Firefox\Profiles\gbt1grt8.default\cookies.sqlite ]
.media6degrees.com [ C:\Documents and Settings\GHO\Application Data\Mozilla\Firefox\Profiles\gbt1grt8.default\cookies.sqlite ]
.media6degrees.com [ C:\Documents and Settings\GHO\Application Data\Mozilla\Firefox\Profiles\gbt1grt8.default\cookies.sqlite ]
.content.yieldmanager.com [ C:\Documents and Settings\GHO\Application Data\Mozilla\Firefox\Profiles\gbt1grt8.default\cookies.sqlite ]
.media6degrees.com [ C:\Documents and Settings\GHO\Application Data\Mozilla\Firefox\Profiles\gbt1grt8.default\cookies.sqlite ]
citi.bridgetrack.com [ C:\Documents and Settings\GHO\Application Data\Mozilla\Firefox\Profiles\gbt1grt8.default\cookies.sqlite ]
citi.bridgetrack.com [ C:\Documents and Settings\GHO\Application Data\Mozilla\Firefox\Profiles\gbt1grt8.default\cookies.sqlite ]
citi.bridgetrack.com [ C:\Documents and Settings\GHO\Application Data\Mozilla\Firefox\Profiles\gbt1grt8.default\cookies.sqlite ]
.questionmarket.com [ C:\Documents and Settings\GHO\Application Data\Mozilla\Firefox\Profiles\gbt1grt8.default\cookies.sqlite ]
.questionmarket.com [ C:\Documents and Settings\GHO\Application Data\Mozilla\Firefox\Profiles\gbt1grt8.default\cookies.sqlite ]
ads.crakmedia.com [ C:\Documents and Settings\GHO\Application Data\Mozilla\Firefox\Profiles\gbt1grt8.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\GHO\Application Data\Mozilla\Firefox\Profiles\gbt1grt8.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\GHO\Application Data\Mozilla\Firefox\Profiles\gbt1grt8.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\GHO\Application Data\Mozilla\Firefox\Profiles\gbt1grt8.default\cookies.sqlite ]
.content.yieldmanager.com [ C:\Documents and Settings\GHO\Application Data\Mozilla\Firefox\Profiles\gbt1grt8.default\cookies.sqlite ]
C:\Documents and Settings\GHO\Cookies\gho@bannertgt[1].txt
C:\Documents and Settings\GHO\Cookies\gho@zanox[1].txt
.ads.pointroll.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.pointroll.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.imrworldwide.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.imrworldwide.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adlegend.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adlegend.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.kontera.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.trafficholder.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.naiadsystems.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.naiadsystems.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.clicksor.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.trafficholder.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adserver.adtechus.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.trafficholder.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.trafficholder.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
stat.onestat.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
stat.onestat.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.andomedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.dodtracker.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.stats.paypal.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.liveperson.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.liveperson.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
cdn4.specificclick.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.247realmedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.oasn04.247realmedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.tacoda.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.nextag.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.click.in [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.click.in [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
1xxx.cqcounter.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.hardsextube.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
2.bfugmedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adecn.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.yieldmanager.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
roi.clicklab.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
roi.clicklab.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.at.atwola.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
adserver.adreactor.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.content.yieldmanager.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
cdn4.specificclick.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
in.getclicky.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.realmedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.interclick.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.interclick.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.interclick.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.a1.interclick.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.network.realmedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.realmedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.realmedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.2o7.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.pro-market.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.pro-market.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.a1.interclick.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.specificmedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.xiti.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
stats.skisrossignol.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.legolas-media.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.legolas-media.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.jcwhitney.112.2o7.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.suunto.122.2o7.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.wachovia.112.2o7.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.paypal.112.2o7.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.liveperson.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.njmvc.112.2o7.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.2o7.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.intermundomedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.intermundomedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.intermundomedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.questionmarket.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
survey.questionmarket.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.yieldmanager.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.lucidmedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.lucidmedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.lucidmedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
www.burstbeacon.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.burstbeacon.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
advertising.sheknows.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.edgeadx.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.legolas-media.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ads.bridgetrack.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ads.bridgetrack.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.countycomm.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.countycomm.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.countycomm.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.clicksor.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.clicksor.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.prosper202.rocketstracking.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
www.tracklead.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.bannertgt.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.bannertgt.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.bannertgt.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
dc.tremormedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.videoegg.adbureau.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.clicksor.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.clicksor.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.clicksor.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.chitika.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
k.v.y.cltomedia.info [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.cltomedia.info [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
cltomedia.info [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.myroitracking.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adserving.contextualmarketplace.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adserving.contextualmarketplace.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
tracker.infra-ad.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.walmart.112.2o7.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
www4.addfreestats.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
porndad.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
adserver.crawlspace-interactive.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.cz5.clickzs.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.cz5.clickzs.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.pornhub.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.pornhub.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.pornhublive.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
www.pornhublive.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.mofosex.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.mofosex.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.mofosex.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
www.streamsex.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
www.streamsex.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
www.streamsex.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
www.streamsex.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
www.streamsex.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
www.streamsex.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.streamsex.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.streamsex.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.streamsex.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
freshxxxtube.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
freshxxxtube.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
freshxxxtube.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
freshxxxtube.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.pornhub.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.pornhub.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.bleeptt.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.bleeptt.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.bleeptt.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ads.crakmedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.liveperson.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.otterproducts.112.2o7.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.liveperson.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.liveperson.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adcentriconline.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.2o7.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.2o7.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.dmtracker.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.kontera.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.kontera.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ads.crakmedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ads.crakmedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ads.crakmedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.bleepbookcamgirls.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.bleepbookcamgirls.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.bleepbookcamgirls.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.pornhub.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.pornhub.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.pornhub.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.pornhub.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.e-2dj6wfkyspczchp.stats.esomniture.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.trafficmp.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.trafficmp.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.trafficmp.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.trafficmp.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.a1.interclick.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.a1.interclick.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.a1.interclick.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.a1.interclick.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.a1.interclick.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.a1.interclick.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.interclick.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.liveperson.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
server.iad.liveperson.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
citi.bridgetrack.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
citi.bridgetrack.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
citi.bridgetrack.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.media.photobucket.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.backcountry.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.backcountry.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
www.backcountry.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
www.backcountry.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
www.backcountry.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
www.backcountry.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
www.backcountry.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.backcountry.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.backcountry.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
www.backcountry.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
www.backcountry.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.farecastcom.122.2o7.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.247realmedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.247realmedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.trafficmp.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.trafficmp.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.liveperson.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
sales.liveperson.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
cdn4.specificclick.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.liveperson.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
cdn4.specificclick.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
adx.bidsystem.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
sales.liveperson.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.bizrate.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.bizrate.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.bizrate.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.nextag.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.doubleclick.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.dodtracker.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.dodtracker.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.specificmedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.at.atwola.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.at.atwola.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ads.zeusclicks.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.apmebf.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.mediaplex.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.fastclick.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ehg-techtarget.hitbox.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.hitbox.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.hitbox.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ad.doubleclick.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.fastclick.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.fastclick.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ads.bridgetrack.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ads.bridgetrack.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.pointroll.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.content.yieldmanager.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.realmedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
network.realmedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.oasn04.247realmedia.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.tribalfusion.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
statse.webtrendslive.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.atwola.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.tacoda.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.tacoda.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.tacoda.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.tacoda.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.tacoda.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.bs.serving-sys.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.questionmarket.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.questionmarket.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.tracking.percentmobile.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.tracking.percentmobile.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
cdn4.specificclick.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.specificclick.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.specificclick.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.specificclick.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.specificclick.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.specificclick.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.specificclick.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
cdn4.specificclick.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
cdn4.specificclick.net [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ads.bridgetrack.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ads.bridgetrack.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ads.bridgetrack.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
www.hardsextube.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adxpansion.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.hardsextube.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.hardsextube.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.hardsextube.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.hardsextube.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.hardsextube.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
adserver.hardsextube.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
dev.hardsextube.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
www.hardsextube.com [ C:\Documents and Settings\GHO\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
convoad.technoratimedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\NDGVZ4XC ]
media-glam.pictela.net [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\NDGVZ4XC ]
media.mtvnservices.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\NDGVZ4XC ]
media.scanscout.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\NDGVZ4XC ]
media1.break.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\NDGVZ4XC ]
objects.tremormedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\NDGVZ4XC ]
s0.2mdn.net [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\NDGVZ4XC ]
secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\NDGVZ4XC ]
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adcloudmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.bighealthtree[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.bighealthtree[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.financialcontent[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.financialcontent[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.gossipcenter[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pubmatic[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pubmatic[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.undertone[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@adxpose[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@at.atwola[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@at.atwola[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@bs.serving-sys[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@chitika[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@collective-media[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@dr.findlinks[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@enhance[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@exoclick.40531.blueseek[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@exoclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@interclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@pointroll[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@pro-market[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@revsci[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ru4[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@specificmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@specificmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@specificmedia[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@tacoda[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@tracking.admarketplace[1].txt
convoad.technoratimedia.com [ C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\U9KNCJB2 ]
media1.break.com [ C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\U9KNCJB2 ]
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ad.yieldmanager[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@adecn[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@adtech[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@adx.bidsystem[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@apmebf[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@atdmt[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@atdmt[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@bannertgt[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@bs.serving-sys[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@doubleclick[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@edgeadx[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@fastclick[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@fastclick[3].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@media6degrees[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@media6degrees[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@rotator.adjuggler[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@serving-sys[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@serving-sys[3].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@www.burstnet[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@zanox[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@zedo[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@zedo[3].txt

Adware.Flash Tracking Cookie
C:\Documents and Settings\GHO\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\Q7GAPKVQ\CONVOAD.TECHNORATIMEDIA.COM
C:\Documents and Settings\GHO\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\Q7GAPKVQ\MEDIA.MTVNSERVICES.COM
C:\Documents and Settings\GHO\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\Q7GAPKVQ\MEDIA1.BREAK.COM
C:\Documents and Settings\GHO\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\Q7GAPKVQ\SECURE-US.IMRWORLDWIDE.COM

Rogue.AntivirusSoft
HKU\.DEFAULT\Software\avsoft
HKU\S-1-5-18\Software\avsoft

Malware.Trace
HKU\.DEFAULT\SOFTWARE\AVSUITE
HKU\S-1-5-18\SOFTWARE\AVSUITE





GMER:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-23 17:34:34
Windows 5.1.2600 Service Pack 3
Running: qvp6i74o.exe; Driver: C:\DOCUME~1\GHO\LOCALS~1\Temp\pxtdqpow.sys
---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEE90FC7A]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xEEAF4FC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xEEAF1C80]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xEE90FB36]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xEEAF5580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xEEB09900]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xEEB09B10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xEEB0DB10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xEEAF5670]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xEEAF2210]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xEE9100EA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEE910014]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xEEB09280]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xEEB0CF10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xEEB0CF90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xEEAF2070]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEE90FC10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xEEB0B180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xEEB0AF40]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEE90FD30]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xEE9101B8]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xEEB0D150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xEEAF4BE0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEE90FCF0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xEEAF5190]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xEEAF2440]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xEE90FE70]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xEEB0A200]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEE9D3620]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xEE91CA24]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2770 12 Bytes [80, 55, AF, EE, 00, 99, B0, ...] {ADC BYTE [EBP-0x51], 0xee; ADD [ECX-0x64ef1150], BL; MOV AL, 0xee}
PAGE ntoskrnl.exe!ObInsertObject 8056503A 5 Bytes JMP EE919EC2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 8059F8CA 5 Bytes JMP EE918536 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwLoadDriver 805A3B73 7 Bytes JMP EE91CA28 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
? srescan.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2216] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2216] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2216] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2216] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2216] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2216] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2216] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2216] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2216] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2736] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2736] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2736] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2736] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2736] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2736] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2736] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2736] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2736] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2736] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2736] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2736] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2736] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2736] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [EEAF9B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [EEAF9930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [EEAFA260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [EEAF7E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [EEAF7E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [EEAF9B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [EEAF9930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [EEAFA260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [EEAF9B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [EEAF7E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [EEAFA260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [EEAF9930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [EEAFA260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [EEAF9930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [EEAF9B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [EEAF7E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [EEAF9B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [EEAF9930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [EEAFA260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [EEB12B30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [EEAFA260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [EEAF9930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [EEAF7E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [EEAF9B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [EEAF9B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [EEAF7E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [EEAFA260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [EEAF9930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [EEAF28D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [EEAF2A80] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [EEAF25E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [EEAF2980] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[892] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[892] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2736] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \FileSystem\Fastfat \Fat ECFFED20
Device \FileSystem\Fastfat \Fat ED0029F2

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

attached log data as requested by hamluis

Attached Files


Edited by hamluis, 22 August 2010 - 07:00 PM.
Merged posts, moved from AII to MRL ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:31 PM

Posted 23 August 2010 - 03:31 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 gho100

gho100
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 23 August 2010 - 07:23 AM

Thanks Casey, all of that information is included in the first post.

#4 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:31 PM

Posted 23 August 2010 - 09:03 AM

QUOTE(gho100 @ Aug 23 2010, 01:23 PM) View Post
Thanks Casey, all of that information is included in the first post.


No problem, but we need you to run all of the scans I've asked for again, since it has been a while since you last ran the scans and the current situation on your PC may be different now.

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#5 gho100

gho100
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 23 August 2010 - 09:21 AM

The computer has not been turned on since the last scans, so they can't be any different. The only time I did use it was last night to run the DDS, as requested.

I understand you're trying to help, but this is the third thread created for this one small problem, each time I'm being directed to give a different set of scans, and then being told again and again it isn't the right ones, or they different ones, or start a new thread, w/e.

If there isn't enough imformation provided by scans from DDS, GMER, MBAM and Super anti-spyware, all of which were posted as requested, then I'm guessing I won't find any help here anyway.


QUOTE(Casey_boy @ Aug 23 2010, 10:03 AM) View Post
QUOTE(gho100 @ Aug 23 2010, 01:23 PM) View Post
Thanks Casey, all of that information is included in the first post.


No problem, but we need you to run all of the scans I've asked for again, since it has been a while since you last ran the scans and the current situation on your PC may be different now.



#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:31 AM

Posted 24 August 2010 - 03:26 PM

Hi qho100,



Welcome to BleepingComputer Virus, Trojan, Spyware, and Malware Removal Logs Forum. welcome.gif
My name is sundavis, I will be helping you to deal with your Malware problems today.


Step1
  1. Please download OTL and save it to your desktop.
  2. Double click on the icon on your desktop.
  3. Click the "Scan All Users" checkbox.
  4. Click the "Quick Scan" button.
  5. Two reports will open, OTListIt.txt <-- Will be opened and Extra.txt <-- Will be minimized
  6. Copy and paste both logs back here in your next reply.
Step2
  1. Go to this thread and Download Bootkit Remover.rar to your Desktop.
  2. Extract its contents to your desktop and drag remover.exe on the desktop, not in the folder.
  3. Start > Run and type cmd and hit enter, copy/paste the following bolded command into command prompt and hit Enter.

    "%userprofile%\desktop\remover.exe" >"%userprofile%\desktop\remover.txt"

  4. When done, a log file should be created on your desktop named "remover.txt". Please copy and paste the contents in your next reply.

In your next reply, please post back:

1.OTListIt.txt and Extra.txt
2.Remover.txt Thanks

Edited by sundavis, 24 August 2010 - 03:28 PM.


#7 gho100

gho100
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 24 August 2010 - 06:29 PM

Alright, well, the OTL file didn't put out the 2 files, but here's the results from the quickscan:


OTL logfile created on: 8/24/2010 7:10:23 PM - Run 2
OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\GHO\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

494.00 Mb Total Physical Memory | 113.00 Mb Available Physical Memory | 23.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 48.00% Paging File free
Paging file location(s): C:\pagefile.sys 744 1488 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 33.87 Gb Total Space | 12.64 Gb Free Space | 37.30% Space Free | Partition Type: NTFS
Unable to calculate disk information.
Drive E: | 487.41 Mb Total Space | 486.01 Mb Free Space | 99.71% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GHO
Current User Name: GHO
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - File not found -- C:\System Volume Information\Microsoft\services.exe
PRC - [2010/08/24 18:57:12 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\GHO\Desktop\OTL.exe
PRC - [2010/06/17 19:14:52 | 000,338,464 | ---- | M] (Soluto) -- C:\Program Files\Soluto\SolutoService.exe
PRC - [2010/06/17 19:14:50 | 003,307,552 | ---- | M] (Soluto) -- C:\Program Files\Soluto\Soluto.exe
PRC - [2010/06/01 14:53:46 | 001,093,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
PRC - [2010/05/06 16:59:38 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/03/25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2010/01/07 15:38:18 | 000,447,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ZuneWlanCfgSvc.exe
PRC - [2010/01/07 15:38:10 | 000,058,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ZuneBusEnum.exe
PRC - [2010/01/07 15:38:08 | 005,950,704 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Zune\ZuneNss.exe
PRC - [2009/02/16 00:10:22 | 002,402,184 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2009/02/16 00:10:22 | 000,981,384 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2008/06/10 13:56:28 | 000,447,560 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/21 12:28:36 | 000,643,072 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2007/02/21 12:19:58 | 000,819,200 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PRC - [2007/02/21 12:19:40 | 000,294,912 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
PRC - [2007/02/21 12:17:42 | 000,970,752 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
PRC - [2007/02/21 12:16:48 | 000,983,040 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2007/02/21 12:13:26 | 000,487,424 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
PRC - [2007/02/21 12:10:00 | 000,327,680 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2006/06/09 13:47:52 | 000,047,104 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\ico.exe


========== Modules (SafeList) ==========

MOD - [2010/08/24 18:57:12 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\GHO\Desktop\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/06/17 19:14:52 | 000,338,464 | ---- | M] (Soluto) [Auto | Running] -- C:\Program Files\Soluto\SolutoService.exe -- (SolutoService)
SRV - [2010/05/06 16:59:38 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/05/06 16:59:38 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/05/06 16:59:38 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/03/25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2010/01/07 15:38:18 | 000,447,216 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2010/01/07 15:38:10 | 000,058,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ZuneBusEnum.exe -- (ZuneBusEnum)
SRV - [2010/01/07 15:38:08 | 005,950,704 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2009/02/16 00:10:22 | 002,402,184 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2009/02/06 18:08:58 | 000,533,360 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
SRV - [2007/02/21 12:28:36 | 000,643,072 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2007/02/21 12:19:40 | 000,294,912 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER) Intel®
SRV - [2007/02/21 12:16:48 | 000,983,040 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel®
SRV - [2007/02/21 12:10:00 | 000,327,680 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\Bulk536.sys -- (USBCamera)
DRV - File not found [Kernel | System | Stopped] -- C:\Program Files\SUPERAntiSpyware\SABKUTIL.sys -- (SABKUTIL)
DRV - File not found [File_System | Boot | Stopped] -- C:\WINDOWS\System32\DRIVERS\Lbd.sys -- (Lbd)
DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\Drivers\Ca536av.sys -- (Ca536av)
DRV - [2010/06/17 19:06:44 | 000,179,656 | ---- | M] (Soluto LTD.) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\PCGenFAM.sys -- (PCGenFAM)
DRV - [2010/05/10 14:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/05/06 16:39:23 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/05/06 16:39:00 | 000,164,048 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/05/06 16:34:27 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/05/06 16:33:59 | 000,100,432 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/05/06 16:33:47 | 000,019,024 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/05/06 16:33:29 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2010/03/25 21:30:22 | 000,151,216 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MpFilter.sys -- (MpFilter)
DRV - [2010/02/17 14:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/01/07 15:22:02 | 000,040,832 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\zumbus.sys -- (zumbus)
DRV - [2009/02/16 00:10:26 | 000,353,672 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2009/02/06 18:08:42 | 000,055,152 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2008/11/17 02:24:00 | 000,051,688 | ---- | M] (Check Point Software Technologies LTD) [Kernel | Boot | Running] -- C:\WINDOWS\system32\ZoneLabs\srescan.sys -- (srescan)
DRV - [2008/04/13 14:36:38 | 000,020,352 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hidbatt.sys -- (HidBatt)
DRV - [2007/02/21 12:16:12 | 000,012,416 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2007/02/08 14:51:16 | 002,209,408 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2007/01/19 18:14:50 | 000,409,728 | ---- | M] (PixArt Imaging Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SPC610NC.SYS -- (SPC610NC)
DRV - [2006/11/02 08:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2006/07/21 13:42:08 | 000,055,808 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm.sys -- (tifm)
DRV - [2006/03/08 13:35:10 | 000,191,872 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2005/05/03 16:09:28 | 001,033,728 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.SYS -- (HSF_DPV)
DRV - [2005/05/03 16:08:50 | 000,208,384 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2005/05/03 16:08:44 | 000,705,408 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/11/15 16:37:52 | 000,264,440 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\stac97.sys -- (STAC97) Audio Driver (WDM)
DRV - [2004/05/26 16:18:18 | 000,044,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2003/11/13 19:17:00 | 001,042,816 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-746137067-152049171-1343024091-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-746137067-152049171-1343024091-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-746137067-152049171-1343024091-1004\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-746137067-152049171-1343024091-1004\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-746137067-152049171-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-746137067-152049171-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.gmail.com"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox 3.5 Beta 4\components [2010/06/21 00:51:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox 3.5 Beta 4\plugins [2010/06/21 00:51:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/21 01:08:50 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/21 01:08:15 | 000,000,000 | ---D | M]

[2009/02/26 21:03:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\GHO\Application Data\Mozilla\Extensions
[2010/06/21 09:39:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\GHO\Application Data\Mozilla\Firefox\Profiles\gbt1grt8.default\extensions
[2009/11/15 20:34:09 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\GHO\Application Data\Mozilla\Firefox\Profiles\gbt1grt8.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/06/21 09:39:44 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/09/03 20:11:24 | 000,054,600 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
[2009/03/31 02:39:34 | 000,221,184 | ---- | M] (CNN) -- C:\Program Files\Mozilla Firefox\plugins\NPTURNMED.dll
[2007/04/16 13:07:12 | 000,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: ([2010/06/18 12:32:59 | 000,408,427 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 14125 more lines...
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [PMX Daemon] C:\WINDOWS\System32\ico.exe (Primax Electronics Ltd.)
O4 - HKLM..\Run: [SPC610NC_Monitor] C:\WINDOWS\Philips\SPC610NC\Monitor.exe (PixArt Imaging Incorporation)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [pqkrdltv] C:\Documents and Settings\NetworkService\Local Settings\Application Data\qtdmbvrqc\ugefwpttssd.exe File not found
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [pqkrdltv] C:\Documents and Settings\NetworkService\Local Settings\Application Data\qtdmbvrqc\ugefwpttssd.exe File not found
O4 - HKU\S-1-5-21-746137067-152049171-1343024091-1004..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-746137067-152049171-1343024091-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {F92211F4-3913-4DC2-A275-756374D848B0} http://10.0.0.2:820/MP4DVR.cab (ERViewerOCX Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Program Files\Soluto\soluto.exe /userinit) - C:\Program Files\Soluto\soluto.exe (Soluto)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\GHO\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\GHO\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/26 19:40:54 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/08/24 19:09:54 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\GHO\Desktop\OTL.exe
[2010/08/22 18:19:46 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\GHO\Recent
[2010/08/20 03:19:12 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/06/24 17:53:03 | 000,000,000 | ---D | C] -- C:\e25ea15cc2b4a205ae8182
[2010/06/23 17:35:31 | 000,000,000 | ---D | C] -- C:\e7f3ed0c984a4c8e19db3ec187afb742
[2010/06/22 15:48:22 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/06/22 01:48:28 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/06/21 12:14:39 | 000,179,656 | ---- | C] (Soluto LTD.) -- C:\WINDOWS\System32\drivers\PCGenFAM.sys
[2010/06/21 12:04:47 | 000,000,000 | ---D | C] -- C:\Program Files\Soluto
[2010/06/21 11:29:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\GHO\Desktop\Security Utilities
[2010/06/21 10:47:50 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/06/21 10:47:48 | 000,164,048 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/06/21 10:47:42 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/06/21 10:47:39 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/06/21 10:47:30 | 000,100,432 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/06/21 10:47:29 | 000,094,800 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/06/21 10:47:26 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/06/21 10:39:57 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/06/21 10:39:37 | 000,165,032 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/06/21 10:37:16 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/06/21 10:37:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/06/21 10:32:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\GHO\Application Data\SUPERAntiSpyware.com
[2010/06/21 10:32:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/06/21 10:30:06 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/06/20 15:43:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\GHO\Application Data\Malwarebytes
[2010/06/20 15:43:25 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/06/20 15:43:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/06/20 15:43:23 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/06/20 15:43:23 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/06/19 16:59:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\qtdmbvrqc
[2010/06/19 16:57:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/06/18 13:44:36 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/06/18 11:30:37 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/06/18 11:30:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/06/18 01:09:38 | 000,000,000 | ---D | C] -- C:\cba0cd2eb7b74abb8da111d1
[2010/06/18 00:58:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2010/06/18 00:11:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\GHO\Local Settings\Application Data\Help
[2010/06/18 00:11:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\GHO\Application Data\Help
[2010/06/17 23:00:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/06/17 23:00:02 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/06/17 22:57:54 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2010/06/17 18:09:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/06/17 18:09:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/06/17 17:58:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\GHO\Local Settings\Application Data\cpmrpf
[2010/06/14 10:35:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Soluto
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/08/24 19:03:35 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/08/24 19:01:05 | 000,000,876 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/08/24 18:59:35 | 000,350,192 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/08/24 18:58:17 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/24 18:58:00 | 000,036,833 | ---- | M] () -- C:\Documents and Settings\GHO\Desktop\bootkit_remover.rar
[2010/08/24 18:57:22 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/24 18:57:12 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\GHO\Desktop\OTL.exe
[2010/08/23 21:30:55 | 008,650,752 | -H-- | M] () -- C:\Documents and Settings\GHO\NTUSER.DAT
[2010/08/23 21:30:55 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\GHO\ntuser.ini
[2010/08/23 21:30:23 | 003,767,320 | -H-- | M] () -- C:\Documents and Settings\GHO\Local Settings\Application Data\IconCache.db
[2010/08/23 21:25:16 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/08/23 21:23:31 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/22 16:10:27 | 000,269,392 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/20 03:23:14 | 000,506,960 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/20 03:23:14 | 000,444,928 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/20 03:23:14 | 000,072,654 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/08/20 03:11:27 | 000,000,820 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/06/22 15:48:26 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\GHO\Desktop\HijackThis.lnk
[2010/06/21 13:53:37 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/06/21 13:42:06 | 000,000,316 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc
[2010/06/21 10:47:33 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/06/21 10:07:57 | 000,002,246 | ---- | M] () -- C:\Documents and Settings\GHO\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/06/21 09:37:45 | 000,002,268 | ---- | M] () -- C:\Documents and Settings\GHO\Desktop\Google Chrome.lnk
[2010/06/21 09:17:06 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/06/21 01:09:30 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\GHO\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/06/21 01:09:29 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/06/20 23:35:41 | 000,000,628 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/18 13:43:41 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/06/18 12:32:59 | 000,408,427 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/06/17 19:06:44 | 000,179,656 | ---- | M] (Soluto LTD.) -- C:\WINDOWS\System32\drivers\PCGenFAM.sys
[2010/06/15 03:13:21 | 000,022,528 | ---- | M] () -- C:\Documents and Settings\GHO\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/14 10:39:32 | 000,069,624 | ---- | M] () -- C:\Documents and Settings\GHO\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/24 19:10:04 | 000,036,833 | ---- | C] () -- C:\Documents and Settings\GHO\Desktop\bootkit_remover.rar
[2010/08/22 17:22:27 | 000,160,352 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/08/20 03:17:53 | 000,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/08/20 03:11:26 | 000,000,820 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/06/22 15:48:26 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\GHO\Desktop\HijackThis.lnk
[2010/06/21 09:37:46 | 000,002,246 | ---- | C] () -- C:\Documents and Settings\GHO\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/06/21 09:37:40 | 000,002,268 | ---- | C] () -- C:\Documents and Settings\GHO\Desktop\Google Chrome.lnk
[2010/06/21 01:09:30 | 000,001,620 | ---- | C] () -- C:\Documents and Settings\GHO\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/06/21 01:09:29 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/06/18 12:04:03 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/06/14 10:40:06 | 000,000,316 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc
[2009/07/09 01:04:56 | 000,000,067 | ---- | C] () -- C:\WINDOWS\Easy Video to DVD.INI
[2009/03/03 16:59:36 | 000,795,648 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/03/03 16:59:36 | 000,130,048 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/03/03 16:59:35 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009/03/03 16:59:34 | 000,067,584 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/03/03 16:59:34 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/03/01 00:00:06 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/02/28 19:20:59 | 000,022,528 | ---- | C] () -- C:\Documents and Settings\GHO\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/27 19:00:24 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/02/26 21:19:22 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\GHO\Application Data\$_hpcst$.hpc
[2009/02/26 20:47:12 | 000,796,048 | ---- | C] () -- C:\WINDOWS\System32\libeay32_0.9.6l.dll
[2009/02/26 20:40:09 | 000,131,002 | ---- | C] () -- C:\WINDOWS\System32\DellPM.ini
[2009/02/26 20:28:03 | 000,225,280 | ---- | C] () -- C:\WINDOWS\System32\tifmicon.dll
[2007/01/19 18:50:18 | 000,000,518 | ---- | C] () -- C:\WINDOWS\System32\SPC610NC.ini
[2002/06/03 14:08:52 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\NavLogon.dll

========== LOP Check ==========

[2010/06/21 10:37:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/02/26 20:47:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MailFrontier
[2010/06/21 13:41:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Soluto
[2010/06/20 23:08:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/09/20 13:05:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\GHO\Application Data\GARMIN
[2009/12/25 14:36:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\GHO\Application Data\Leadertech
[2010/06/21 13:53:37 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2010/08/24 19:03:35 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========


< End of report >








And the results from the Bootkit:


Bootkit Remover
© 2009 eSage Lab
www.esagelab.com
Program version: 1.1.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00
Boot sector MD5 is: 3052b732c75e3784ad1b1f06d0fcf12f

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>

Done;





Thanks!

#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:31 AM

Posted 24 August 2010 - 07:45 PM

Hi qho100,



Step1
  1. Start > Run and type cmd and hit enter, copy/paste the following bolded command into command prompt and hit Enter.

    "%userprofile%\desktop\remover.exe" fix \\.\PhysicalDrive0

  2. When done, a warning box should prompt, click yes and restart your pc. After that, please rerun it as instructed in my previous post and post the content in your next reply .

Step2
  1. If you already have Combofix, please delete that copy and download it again as it's being updated regularly.
  2. Please visit this webpage for download links, and instructions for running the tool:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  3. Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  4. Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.
  5. Click Yes to allow Combofix to continue scanning for malware.
  6. When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.
  7. Do not mouse click on Combofix while it is running. That may cause it to stall.



In your next reply, please post back:

1.Remover.txt
2.ComboFix log

Tell me if you have any remaining issues on your pc.

#9 gho100

gho100
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 24 August 2010 - 11:53 PM

Step 1: I ran the bold text as you typed it, and it appears to have run correctly, but I did not get a warning to restart immediately. I restarted manually, and then received a notification on the reboot that another reboot was necessary.

Here are the results of the rescan:


Bootkit Remover
© 2009 eSage Lab
www.esagelab.com
Program version: 1.1.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)

Done;





Step 2: Combo Fix Log:



ComboFix 10-08-24.0A - GHO 08/25/2010 0:27.1.1 - x86
Running from: c:\documents and settings\GHO\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-07-25 to 2010-08-25 )))))))))))))))))))))))))))))))
.

2010-08-22 21:22 . 2010-08-25 03:38 160352 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-08-20 07:13 . 2010-08-20 07:13 69624 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-20 02:41 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-25 03:57 . 2010-06-21 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-08-22 22:20 . 2010-06-18 03:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-20 07:27 . 2009-03-01 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-20 07:13 . 2010-06-18 02:57 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-04 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-22 21:48 . 2010-06-22 21:48 63488 ----a-w- c:\documents and settings\GHO\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-22 21:48 . 2010-06-22 21:47 52224 ----a-w- c:\documents and settings\GHO\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-22 21:47 . 2010-06-22 21:47 117760 ----a-w- c:\documents and settings\GHO\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-21 15:56 . 2010-06-14 14:36 926568 ----a-w- c:\documents and settings\All Users\Application Data\Soluto\Installer\SolutoInstaller.exe
2010-06-21 15:27 . 2004-08-04 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-21 14:03 . 2004-08-04 12:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2010-06-21 13:17 . 2009-03-16 15:55 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-18 17:43 . 2010-06-18 17:44 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-18 00:58 . 2010-06-18 01:00 2353664 ----a-w- c:\windows\Internet Logs\xDB7B.tmp
2010-06-17 23:50 . 2009-03-29 04:36 33665263 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-06-17 23:06 . 2010-06-21 16:14 179656 ----a-w- c:\windows\system32\drivers\PCGenFAM.sys
2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-15 03:32 . 2010-06-15 03:34 2342400 ----a-w- c:\windows\Internet Logs\xDB7A.tmp
2010-06-14 14:39 . 2009-02-26 23:46 69624 ----a-w- c:\documents and settings\GHO\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 14:31 . 2009-02-26 23:38 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-09 17:30 . 2010-06-09 17:31 2337792 ----a-w- c:\windows\Internet Logs\xDB79.tmp
2010-06-08 12:53 . 2010-06-08 13:06 2307584 ----a-w- c:\windows\Internet Logs\xDB78.tmp
2010-06-01 17:37 . 2010-06-21 16:23 221568 ------w- c:\windows\system32\MpSigStub.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"PMX Daemon"="ICO.EXE" [2006-06-09 47104]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SPC610NC_Monitor"="c:\windows\Philips\SPC610NC\Monitor.exe" [2006-11-03 319488]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-03-09 09:08 136176 ----a-w- c:\documents and settings\GHO\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 09:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2010-01-07 19:38 158448 ----a-w- c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Soluto\\Soluto.exe"=
"c:\\Program Files\\Soluto\\SolutoService.exe"=
"c:\\Program Files\\Soluto\\SolutoConsole.exe"=
"c:\\Program Files\\Soluto\\SolutoUpdateService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 SolutoService;Soluto PCGenome Core Service;c:\program files\Soluto\SolutoService.exe [6/17/2010 7:14 PM 338464]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S0 PCGenFAM;PCGenFAM;c:\windows\system32\drivers\PCGenFAM.sys [6/21/2010 12:14 PM 179656]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SUPERAntiSpyware\SABKUTIL.sys --> c:\program files\SUPERAntiSpyware\SABKUTIL.sys [?]
S2 Ca536av;FashionCam Video Camera Device;c:\windows\system32\Drivers\Ca536av.sys --> c:\windows\system32\Drivers\Ca536av.sys [?]
S3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 8:53 PM 135664]
S3 SPC610NC;SPC 610NC Laptop Camera;c:\windows\system32\drivers\SPC610NC.SYS [1/19/2007 6:14 PM 409728]
.
Contents of the 'Scheduled Tasks' folder

2010-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 00:53]

2010-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 00:53]

2009-02-27 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 17:56]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
DPF: {F92211F4-3913-4DC2-A275-756374D848B0} - hxxp://10.0.0.2:820/MP4DVR.cab
FF - ProfilePath - c:\documents and settings\GHO\Application Data\Mozilla\Firefox\Profiles\gbt1grt8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-BitTorrent DNA - c:\program files\DNA\btdna.exe
MSConfigStartUp-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-25 00:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,2c,b5,0d,a5,59,59,45,9a,27,3c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,2c,b5,0d,a5,59,59,45,9a,27,3c,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(832)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\NavLogon.dll

- - - - - - - > 'explorer.exe'(2812)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-08-25 00:40:12
ComboFix-quarantined-files.txt 2010-08-25 04:40

Pre-Run: 13,461,041,152 bytes free
Post-Run: 13,625,696,256 bytes free

- - End Of File - - DB05BB1A994F9C00F9937DA3FDD74034






It appears this may have solved my problems! Microsoft security essentials, which would constantly detect and re-detect UNruy.d no longer identifies a problem and no longer asks me to restart as soon as I've booted.


Please let me know if you see any other troubles in my logs.




#10 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:31 AM

Posted 25 August 2010 - 12:03 AM

Hi qho100,



The MBR bootkit is gone and your PhysicalDrive0 status is OK now. Your logs appear to be clean. smile.gif

Let me know if you still have any remaining issues on your pc. Otherwise, the ending speech should be given shortly. Good luck.


#11 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:31 AM

Posted 02 September 2010 - 12:55 AM

Hi qho100,


Step1

Click START then RUN
Now copy/paste ComboFix /Uninstall in the runbox and click OK.
Note the space between the X and the /Uninstall, it needs to be there.



This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step2

Start OTL from your desktop.
  1. Double click OTL and let it run
  2. Then Click the Cleanup button.
  3. You will get a prompt saying "Being Cleanup Process". Please select Yes.
  4. Restart your computer when prompted.


Please delete all the logs and tools we have used. Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  1. Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  2. Update all programs regularly - Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  3. Backup your valid registry -ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Due to malware affects, a corrupt registry can prevent a system from booting. You're well advised to backup your valid registry while the system is clean now. For more info: Here and Here .


Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users