Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious Tabs in Windows 7 Task Manager


  • Please log in to reply
23 replies to this topic

#1 tritonsmoon

tritonsmoon

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 21 July 2011 - 04:13 PM

I'm a new user and I see some very knowledgeable people here. I'm hoping someone can help with my situation.

I am running Windows 7 Professional 64bit Service Pack 1.

Two days ago I was going to end a process that was not responsive using Windows Task Manager.

When I got into task manager I see two problems and possibly a third.
1) The tab that normally reads "Applications" is now spelled "Applicitions" <- sounds russian
2) The performance tab has NO graphic information (normally I see processor and memory usage graphs)
3) The whole task manager is blinking (by that I mean the box appears to flash on and off of the screen) very rapidly. Almost like it is refreshing itself? Not so much that I can't read what is on the screen.

I use avast! Antivirus, but a scan does not produce any viruses.
I ran Malwarebytes and again the scan does not report problems.
I also ran the TDSSKiller from Kapersky.

I am in the process of running an online scan from ESET.

Can anyone suggest what the problem might be? Could this be a rootkit or stealth application of some sort?

I really don't notice any other problems with the system. But I don't trust what is happening with Task Manager.

Edited by tritonsmoon, 21 July 2011 - 04:14 PM.


BC AdBot (Login to Remove)

 


#2 tritonsmoon

tritonsmoon
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 26 July 2011 - 08:50 AM

Okay, I've done an online scan from about every AV product I trust:
ESET
McAfee
Symantec
Kapersky

No problems detected at any site.

Does anyone have a suggestion?

I've had this computer off now, except for the time I am troubleshooting problems. I really hate to format before finding where this came from or what the issue could be.

Anyone?

#3 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:09:41 PM

Posted 26 July 2011 - 08:18 PM

Hi tritonsmoon,

:welcome: to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum.

 

:step1: Please download MiniToolBox and run it.

Checkmark following boxes:
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

:step2: Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    taskmgr.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

:step3: Let's try repairing corrupt operating system files.
Please follow the directions here: http://www.bleepingcomputer.com/forums/topic43051.html

In your next reply, please include:
  • MiniToolox log
  • SystemLook log
  • How's the computer running now?

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#4 tritonsmoon

tritonsmoon
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 26 July 2011 - 09:53 PM

Hi Jason,
Here are the results of the MiniToolBox:



MiniToolBox by Farbar
Ran by David (administrator) on 26-07-2011 at 21:49:57
Windows 7 Professional Service Pack 1 (X64)

***************************************************************************

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/22/2011 00:10:38 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"1".Error in manifest or policy file "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"2" on line WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"3.
Component identity found in manifest does not match the identity of the component requested.
Reference is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1".
Definition is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1".
Please use sxstrace.exe for detailed diagnosis.

Error: (07/22/2011 00:10:16 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element "assemblyIdentity" is invalid.

Error: (07/21/2011 11:10:56 PM) (Source: Windows Search Service) (User: )
Description: Notifications for the volume C:\ are not active.

Context: Windows Application

Details:
Insufficient quota to complete the requested service. (HRESULT : 0x800705ad) (0x800705ad)

Error: (07/20/2011 11:34:47 PM) (Source: Wininit) (User: )
Description: A critical system process, C:\Windows\system32\lsm.exe, failed with status code 1. The machine must now be restarted.

Error: (07/20/2011 03:11:44 PM) (Source: Application Hang) (User: )
Description: The program gns3.exe version 0.0.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 1044

Start Time: 01cc4718cd96c285

Termination Time: 0

Application Path: C:\Program Files (x86)\GNS3\gns3.exe

Report Id: 77226fa4-b30c-11e0-9547-eaadefbfca04

Error: (07/19/2011 11:29:12 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"1".Error in manifest or policy file "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"2" on line WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"3.
Component identity found in manifest does not match the identity of the component requested.
Reference is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1".
Definition is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1".
Please use sxstrace.exe for detailed diagnosis.

Error: (07/19/2011 11:28:43 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element "assemblyIdentity" is invalid.

Error: (07/19/2011 09:23:54 PM) (Source: Application Hang) (User: )
Description: The program gns3.exe version 0.0.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 171c

Start Time: 01cc468240d20a3a

Termination Time: 6

Application Path: C:\Program Files (x86)\GNS3\gns3.exe

Report Id: 4900f85b-b277-11e0-b511-c9577c66c10c

Error: (07/18/2011 06:05:43 PM) (Source: Application Error) (User: )
Description: Faulting application name: nvcplui.exe, version: 3.5.797.0, time stamp: 0x4d64b3a4
Faulting module name: nvSCPAPI64.dll, version: 7.15.11.9038, time stamp: 0x4a5cdb3d
Exception code: 0xc0000005
Fault offset: 0x0000000000032e78
Faulting process id: 0x1204
Faulting application start time: 0xnvcplui.exe0
Faulting application path: nvcplui.exe1
Faulting module path: nvcplui.exe2
Report Id: nvcplui.exe3

Error: (07/17/2011 10:08:02 PM) (Source: Windows Search Service) (User: )
Description: Notifications for the volume C:\ are not active.

Context: Windows Application

Details:
Insufficient quota to complete the requested service. (HRESULT : 0x800705ad) (0x800705ad)


System errors:
=============
Error: (07/26/2011 09:47:28 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
SAVRKBootTasks

Error: (07/26/2011 09:47:13 PM) (Source: Service Control Manager) (User: )
Description: The CyberLink UDF Filesystem service failed to start due to the following error:
%%1275

Error: (07/26/2011 09:47:13 PM) (Source: Application Popup) (User: )
Description: \SystemRoot\SysWow64\Drivers\CLBUDFR.SYS has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (07/26/2011 09:47:05 PM) (Source: Application Popup) (User: )
Description: \SystemRoot\SysWow64\Drivers\CLBStor.SYS has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (07/22/2011 07:29:09 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
SAVRKBootTasks

Error: (07/22/2011 07:28:48 AM) (Source: Service Control Manager) (User: )
Description: The CyberLink UDF Filesystem service failed to start due to the following error:
%%1275

Error: (07/22/2011 07:28:48 AM) (Source: Application Popup) (User: )
Description: \SystemRoot\SysWow64\Drivers\CLBUDFR.SYS has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (07/22/2011 07:28:42 AM) (Source: Application Popup) (User: )
Description: \SystemRoot\SysWow64\Drivers\CLBStor.SYS has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (07/21/2011 11:42:39 PM) (Source: Service Control Manager) (User: )
Description: The MEMSWEEP2 service failed to start due to the following error:
%%1275

Error: (07/21/2011 11:42:39 PM) (Source: Application Popup) (User: )
Description: \??\C:\Windows\system32\6D36.tmp has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.


Microsoft Office Sessions:
=========================
Error: (07/22/2011 00:10:38 AM) (Source: SideBySide)(User: )
Description: WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1"c:\program files (x86)\windows live\photo gallery\MovieMaker.Exec:\program files (x86)\windows live\photo gallery\WLMFDS.DLL8

Error: (07/22/2011 00:10:16 AM) (Source: SideBySide)(User: )
Description: assemblyIdentityversionMAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINORc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dllc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll3

Error: (07/21/2011 11:10:56 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application

Details:
Insufficient quota to complete the requested service. (HRESULT : 0x800705ad) (0x800705ad)
C:\

Error: (07/20/2011 11:34:47 PM) (Source: Wininit)(User: )
Description: C:\Windows\system32\lsm.exe1

Error: (07/20/2011 03:11:44 PM) (Source: Application Hang)(User: )
Description: gns3.exe0.0.0.0104401cc4718cd96c2850C:\Program Files (x86)\GNS3\gns3.exe77226fa4-b30c-11e0-9547-eaadefbfca04

Error: (07/19/2011 11:29:12 PM) (Source: SideBySide)(User: )
Description: WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1"c:\program files (x86)\windows live\photo gallery\MovieMaker.Exec:\program files (x86)\windows live\photo gallery\WLMFDS.DLL8

Error: (07/19/2011 11:28:43 PM) (Source: SideBySide)(User: )
Description: assemblyIdentityversionMAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINORc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dllc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll3

Error: (07/19/2011 09:23:54 PM) (Source: Application Hang)(User: )
Description: gns3.exe0.0.0.0171c01cc468240d20a3a6C:\Program Files (x86)\GNS3\gns3.exe4900f85b-b277-11e0-b511-c9577c66c10c

Error: (07/18/2011 06:05:43 PM) (Source: Application Error)(User: )
Description: nvcplui.exe3.5.797.04d64b3a4nvSCPAPI64.dll7.15.11.90384a5cdb3dc00000050000000000032e78120401cc459f35ed4215C:\Program Files\NVIDIA Corporation\Control Panel Client\nvcplui.exeC:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPI64.dll763c876d-b192-11e0-b511-c9577c66c10c

Error: (07/17/2011 10:08:02 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application

Details:
Insufficient quota to complete the requested service. (HRESULT : 0x800705ad) (0x800705ad)
C:\


========================= Memory info: ===================================

Percentage of memory in use: 17%
Total physical RAM: 8063.24 MB
Available physical RAM: 6659.93 MB
Total Pagefile: 16124.68 MB
Available Pagefile: 14619.89 MB
Total Virtual: 4095.88 MB
Available Virtual: 3976.71 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:74.53 GB) (Free:31.27 GB) NTFS
2 Drive d: (CISCOPRESS) (CDROM) (Total:0.16 GB) (Free:0 GB) CDFS

========================= Users: ========================================

User accounts for \\X4

__vmware_user__ Administrator ASPNET
David Guest Mcx1-X4


== End of log ==

#5 tritonsmoon

tritonsmoon
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 26 July 2011 - 09:55 PM

Results of System Look:

SystemLook 04.09.10 by jpshortstuff
Log created at 21:52 on 26/07/2011 by David
Administrator - Elevation successful

========== filefind ==========

Searching for "taskmgr.exe"
C:\Windows\System32\taskmgr.exe --a---- 257024 bytes [19:49 09/04/2011] [13:25 20/11/2010] 09F7401D56F2393C6CA534FF0241A590
C:\Windows\SysWOW64\taskmgr.exe --a---- 227328 bytes [19:49 09/04/2011] [12:17 20/11/2010] 545BF7EAA24A9E062857D0742EC0B28A
C:\Windows\winsxs\amd64_microsoft-windows-taskmgr_31bf3856ad364e35_6.1.7600.16385_none_705720d4c2e4f76e\taskmgr.exe --a---- 257024 bytes [23:31 13/07/2009] [01:39 14/07/2009] 71672BD4F035440E79DC50EA9A60166A
C:\Windows\winsxs\amd64_microsoft-windows-taskmgr_31bf3856ad364e35_6.1.7601.17514_none_7288349cbfd37b08\taskmgr.exe --a---- 257024 bytes [19:49 09/04/2011] [13:25 20/11/2010] 09F7401D56F2393C6CA534FF0241A590
C:\Windows\winsxs\x86_microsoft-windows-taskmgr_31bf3856ad364e35_6.1.7600.16385_none_143885510a878638\taskmgr.exe --a---- 227328 bytes [23:20 13/07/2009] [01:14 14/07/2009] C1A857A7BC0BBF57B6115CA7AC4E2F6B
C:\Windows\winsxs\x86_microsoft-windows-taskmgr_31bf3856ad364e35_6.1.7601.17514_none_16699919077609d2\taskmgr.exe --a---- 227328 bytes [19:49 09/04/2011] [12:17 20/11/2010] 545BF7EAA24A9E062857D0742EC0B28A

-= EOF =-

#6 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:09:41 PM

Posted 26 July 2011 - 10:50 PM

Hi tritonsmoon,

Let's upload a couple files for a second opinion on what they actually are.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Virustotal: http://www.virustotal.com/

When the Virustotal page has finished loading, click the Choose File button and navigate to the following file and click Send File.

C:\Windows\System32\taskmgr.exe

C:\Windows\SysWOW64\taskmgr.exe


Please post back the website address (URL) of the Virustotal result in your next post.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#7 tritonsmoon

tritonsmoon
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 26 July 2011 - 11:21 PM

C:\Windows\System32\taskmgr.exe
http://www.virustotal.com/file-scan/report.html?id=50f2abb613df4813ce74f3b0df080497f689dfcad11f0fc7cd5ea4cdaf093bdf-1311739998

C:\Windows\SysWOW64\taskmgr.exe
http://www.virustotal.com/file-scan/report.html?id=50f2abb613df4813ce74f3b0df080497f689dfcad11f0fc7cd5ea4cdaf093bdf-1311739643

#8 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:09:41 PM

Posted 26 July 2011 - 11:55 PM

Hi tritonsmoon,


:step1: Let's try repairing corrupt operating system files.
Please follow the directions here: http://www.bleepingcomputer.com/forums/topic43051.html

:step2: Reboot into Normal mode. Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from http://www.superantispyware.com/downloads/SASDEFINITIONS.EXE (copy and paste that website address) and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a USB drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

:step3: Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.


In your next reply, please include:
  • SuperAntiSpyware log
  • GMER log
  • How's your computer running now? Is the odd Task Manager behavior still the only odd thing you're seeing?

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#9 tritonsmoon

tritonsmoon
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 27 July 2011 - 10:24 AM

From SFC log:

2011-07-26 22:08:44, Info CSI 000001a6 [SR] Cannot repair member file [l:32{16}]"AuthFWSnapin.dll" of Networking-MPSSVC-Admin, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2011-07-26 22:08:49, Info CSI 000001a8 [SR] Cannot repair member file [l:32{16}]"AuthFWSnapin.dll" of Networking-MPSSVC-Admin, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2011-07-26 22:14:42, Info CSI 0000030d [SR] Cannot repair member file [l:32{16}]"AuthFWSnapin.dll" of Networking-MPSSVC-Admin, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2011-07-26 22:14:42, Info CSI 0000030f [SR] Cannot repair member file [l:32{16}]"AuthFWSnapin.dll" of Networking-MPSSVC-Admin, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

#10 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:09:41 PM

Posted 27 July 2011 - 10:33 AM

Hi tritonsmoon,

Hi believe AuthFWSnapin.dll is associated with Windows Firewall.

:step1: Rerun SystemLook
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    AuthFWSnapin.dll
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Edited by jntkwx, 27 July 2011 - 10:34 AM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#11 tritonsmoon

tritonsmoon
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 27 July 2011 - 10:46 AM

New results of System Look:

SystemLook 04.09.10 by jpshortstuff
Log created at 10:41 on 27/07/2011 by David
Administrator - Elevation successful

========== filefind ==========

Searching for "AuthFWSnapin.dll"
C:\Windows\System32\AuthFWSnapin.dll --a---- 5066752 bytes [19:50 09/04/2011] [13:39 20/11/2010] 0CAF5D2AC214392BE081940132F68DAE
C:\Windows\SysWOW64\AuthFWSnapin.dll --a---- 5066752 bytes [19:50 09/04/2011] [12:32 20/11/2010] 13A1F9A72F81509658F3E0B6AC2AD994
C:\Windows\winsxs\amd64_networking-mpssvc-admin_31bf3856ad364e35_6.1.7600.16385_none_01471f9a9b7ffcb1\AuthFWSnapin.dll --a---- 5070848 bytes [22:01 13/07/2009] [01:49 14/07/2009] 6E00E7BFD1EEE1118929F5276F7170D5
C:\Windows\winsxs\amd64_networking-mpssvc-admin_31bf3856ad364e35_6.1.7601.17514_none_03783362986e804b\AuthFWSnapin.dll --a---- 5066752 bytes [19:50 09/04/2011] [13:39 20/11/2010] 0CAF5D2AC214392BE081940132F68DAE
C:\Windows\winsxs\x86_networking-mpssvc-admin_31bf3856ad364e35_6.1.7600.16385_none_a5288416e3228b7b\AuthFWSnapin.dll --a---- 5070848 bytes [22:11 13/07/2009] [01:23 14/07/2009] 058A73936B3CBDB5F8EC5851C8CC8780
C:\Windows\winsxs\x86_networking-mpssvc-admin_31bf3856ad364e35_6.1.7601.17514_none_a75997dee0110f15\AuthFWSnapin.dll --a---- 5066752 bytes [19:50 09/04/2011] [12:32 20/11/2010] 13A1F9A72F81509658F3E0B6AC2AD994

-= EOF =-


BTW: Still scanning with SuperAntiSpyware...

Edited by tritonsmoon, 27 July 2011 - 10:47 AM.


#12 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:09:41 PM

Posted 27 July 2011 - 10:49 AM

Those files exist where they should, and they are the legitimate versions, so I'm not sure why SFC flagged them.

Please continue with Steps 2 and 3 from my previous post (SuperAntiSpyware and GMER).
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#13 tritonsmoon

tritonsmoon
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 27 July 2011 - 11:32 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/27/2011 at 11:23 AM

Application Version : 4.55.1000

Core Rules Database Version : 7469
Trace Rules Database Version: 5281

Scan type : Complete Scan
Total Scan Time : 00:53:08

Memory items scanned : 658
Memory threats detected : 0
Registry items scanned : 13725
Registry threats detected : 4
File items scanned : 37853
File threats detected : 418

Browser Hijacker.Deskbar
(x64) HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
(x64) HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32
(x64) HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib
(x64) HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib#Version

Adware.Vundo/Variant-MSFake
C:\PROGRAM FILES (X86)\GNS3\DEVCON_X86.EXE

Adware.Tracking Cookie
server.iad.liveperson.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
server.iad.liveperson.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.247realmedia.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.imrworldwide.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.imrworldwide.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
traffic.buyservices.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.buycom.122.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.mediaplex.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
sales.liveperson.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
sales.liveperson.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
sales.liveperson.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
www.linuxquestions.org [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
www.linuxquestions.org [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.www.linuxquestions.org [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.www.linuxquestions.org [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.www.linuxquestions.org [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.www.linuxquestions.org [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.adserver.adtechus.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
www.linuxquestions.org [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.kontera.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.liveperson.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.at.atwola.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.media.photobucket.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.dmtracker.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.pointroll.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.adbrite.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.tribalfusion.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.tribalfusion.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.interclick.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.tribalfusion.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.tribalfusion.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.tribalfusion.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.interclick.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.lucidmedia.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.roiservice.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.midcontinentmedia.122.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.liveperson.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.amazonservices.122.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.kiplinger.112.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ads.bridgetrack.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ads.bridgetrack.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.kodakimagingnetwork.122.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.stats.paypal.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
stat.onestat.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.adxpose.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.edgeadx.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ontarget.122.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.adinterax.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.msnportal.112.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.apmebf.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.e-2dj6wnkococ5ecp.stats.esomniture.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.marthastewart.122.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.apmebf.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.cb.adbureau.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.cb.adbureau.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.cb.adbureau.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.cb.adbureau.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.cb.adbureau.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.paypal.112.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.cmpmedica.112.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.eyewonder.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.videoegg.adbureau.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.e-2dj6wjkoehazsfp.stats.esomniture.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.e-2dj6wjl4ehcpkeo.stats.esomniture.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.statcounter.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.statcounter.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.microsoftsto.112.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
www.technologyquestions.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
www.technologyquestions.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.technologyquestions.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
www.technologyquestions.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.technologyquestions.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.technologyquestions.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.technologyquestions.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.technologyquestions.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
www.burstbeacon.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.burstbeacon.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
adx.bidsystem.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
adserver.results-radio.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.sonyelectronicssupportus.112.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.smartadserver.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.smartadserver.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.smartadserver.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ext-us.bestofmedia.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.xiti.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.amex-insights.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.amex-insights.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.jcwhitney.112.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.liveperson.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.e-2dj6wnloopcjmeq.stats.esomniture.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
www.peoplefinders.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
www.peoplefinders.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.peoplefinders.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.peoplefinders.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.peoplefinders.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.bluestreak.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.walmart.112.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.realmedia.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.enhancedrewards.wellsfargorewards.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.enhancedrewards.wellsfargorewards.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.enhancedrewards.wellsfargorewards.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ehg.hitbox.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.carfax.112.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.steelhousemedia.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.e-2dj6wjkyolc5mgq.stats.esomniture.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.e-2dj6wdkisodzgdp.stats.esomniture.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.e-2dj6wbmyegd5mfq.stats.esomniture.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.e-2dj6wjlioodzwbq.stats.esomniture.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.kontera.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.kontera.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.casalemedia.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.yieldmanager.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.steelhousemedia.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ford.112.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.etrade.122.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.adtech.de [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
stat.onestat.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.netgear.122.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.liveperson.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
cdn4.specificclick.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
cdn4.specificclick.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
cdn4.specificclick.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
cdn4.specificclick.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
cdn4.specificclick.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
cdn4.specificclick.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.liveperson.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.liveperson.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
sex.healthguru.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.tacoda.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.tacoda.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.sex.healthguru.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.sex.healthguru.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.sex.healthguru.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
citi.bridgetrack.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
citi.bridgetrack.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
citi.bridgetrack.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
citi.bridgetrack.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.fedex.122.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.pro-market.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.fastclick.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.avgtechnologies.112.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.investorplacemedia.122.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ads.neudesicmediagroup.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ads.neudesicmediagroup.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ads.neudesicmediagroup.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
tracklink.meritline.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.trafficmp.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.www.burstnet.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.burstnet.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.lfstmedia.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.burstnet.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.andomedia.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.statcounter.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
stat.onestat.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.cisco.112.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
statse.webtrendslive.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.idgenterprise.112.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.adinterax.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.solarwinds.122.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.bissell.122.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.specificmedia.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.adecn.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.specificclick.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.specificclick.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.specificclick.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.specificclick.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.specificclick.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.specificclick.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.legolas-media.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.microsoftwlsearchcrm.112.2o7.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.interclick.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insight.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insight.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insight.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insight.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insight.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insight.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insight.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.realmedia.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.realmedia.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
network.realmedia.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.chitika.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.mm.chitika.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.pointroll.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.casalemedia.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.casalemedia.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.casalemedia.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
adserving.versaneeds.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.mediabrandsww.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
server.iad.liveperson.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.liveperson.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.mediaplex.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.e-2dj6aeliqgczego.stats.esomniture.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.doubleclick.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.mediaplex.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.tacoda.at.atwola.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.tacoda.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ar.atwola.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.adbrite.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.adbrite.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.at.atwola.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.tacoda.at.atwola.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.tacoda.at.atwola.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.tacoda.at.atwola.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.tacoda.at.atwola.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.at.atwola.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.legolas-media.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.legolas-media.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.questionmarket.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.questionmarket.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.fastclick.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.fastclick.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.trafficmp.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.trafficmp.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.adbrite.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.adbrite.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.tribalfusion.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.adbrite.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.adbrite.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
cdn4.specificclick.net [ C:\Users\David\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\MYN57BHT ]
core.insightexpressai.com [ C:\Users\David\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\MYN57BHT ]
crackle.com [ C:\Users\David\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\MYN57BHT ]
ia.media-imdb.com [ C:\Users\David\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\MYN57BHT ]
media.easy2.com [ C:\Users\David\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\MYN57BHT ]
media.ksee24.com [ C:\Users\David\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\MYN57BHT ]
media.vmixcore.com [ C:\Users\David\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\MYN57BHT ]
mediaforgews.com [ C:\Users\David\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\MYN57BHT ]
msntest.serving-sys.com [ C:\Users\David\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\MYN57BHT ]
objects.tremormedia.com [ C:\Users\David\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\MYN57BHT ]
s0.2mdn.net [ C:\Users\David\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\MYN57BHT ]
secure-us.imrworldwide.com [ C:\Users\David\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\MYN57BHT ]
sex.healthguru.com [ C:\Users\David\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\MYN57BHT ]
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\david@atdmt[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@atdmt[4].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@ad.yieldmanager[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@ad.yieldmanager[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@microsoftwindows.112.2o7[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@msnportal.112.2o7[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@zedo[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@imrworldwide[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@doubleclick[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@doubleclick[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@adbrite[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@microsoftsto.112.2o7[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@ad.wsod[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@atdmt[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@collective-media[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@ads.neudesicmediagroup[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@invitemedia[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@advertising[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@specificclick[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@revsci[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@ad.wsod[3].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@fastclick[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@adbrite[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@avgtechnologies.112.2o7[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@imagevenue.advertserve[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@ads.neudesicmediagroup[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@mediaplex[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@trafficmp[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@doubleclick[3].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@questionmarket[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@content.yieldmanager[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@ad.wsod[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@tribalfusion[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@atdmt[3].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@apmebf[1].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@atdmt[2].txt
C:\Users\David\AppData\Roaming\Microsoft\Windows\Cookies\Low\david@msnportal.112.2o7[1].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@advertising[2].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@questionmarket[2].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@tacoda.at.atwola[1].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@ad.yieldmanager[2].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@zedo[1].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@ad.wsod[2].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@content.yieldmanager[3].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@revsci[2].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@invitemedia[1].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@leeenterprises.112.2o7[1].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@media6degrees[2].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@2o7[2].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@at.atwola[1].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@imrworldwide[2].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@saxoomahaworldherald.122.2o7[1].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@ar.atwola[2].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@specificclick[2].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@interclick[2].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@atwola[1].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@ar.atwola[1].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@pointroll[2].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@tribalfusion[1].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@a1.interclick[1].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@stats.townnews[2].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@ar.atwola[3].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@mediaplex[2].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@doubleclick[2].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@ru4[1].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@serving-sys[1].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@overture[2].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@yieldmanager[1].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@ads.pointroll[1].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@atdmt[1].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@collective-media[2].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@specificmedia[2].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@apmebf[1].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@content.yieldmanager[2].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@insightexpressai[2].txt
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies\Low\guest@r1-ads.ace.advertising[2].txt

I've removed the threats that were detected, and rebooted.

The tabs are still there. I'm scanning with GMER now.

#14 tritonsmoon

tritonsmoon
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 27 July 2011 - 12:12 PM

Hi Jason,
I've never used GMER before but the following is the response I get in the log file.


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-07-27 12:10:54
Windows 6.1.7601 Service Pack 1
Running: ek8ldcix.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Linkage@Export ???i???????A?B???@??????????????????????? ???????????????????????????????????????f???????????????~ ??;???????????{?????????:??????F6B5??????-4??{FCED646A-096A-4FAB-B017-71442387B0AB}??41????Z??;???e????d36A??Ndisuio?RasPppoe?rspndr?lltdio?Tcpip?Tcpip6??D????`??;???-???E??\Device\{FCED646A-096A-4FAB-B017-71442387B0AB}??FF??? h??;??????????o???? N??????????????????????????????d??? ???????-?????;?????????? ?????????(???????????????????????? ???????;?????|??????????"???&?????????????????? ???????~???????????v???????????????????e?????;???~????@system32\drivers\pci.sys,#65536;PCI bus %1, device %2, function %3;(1,6,0)?74??? ???????;???????????7????????"?????????????? ???~???????????{???????;???C??54??int?BB???????;???6???e??tunnel?\De????@??;???D??????Microsoft ISATAP Adapter Driver?e\??? ???;???1?????0B-??tunnel?EE0??????????{95B683D6-6184-490B-B79E-4D62EE006416}??4E?????????????????????:????? ???????9???????????7?:????????????&????????????????????5??????????????e6????N??;???C?????DNN??{00000000-0000-0000-FFFF-FF
Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Linkage@Export ?????e???c?c?c?c?c?c?c??????????UMB\UMBUS??.1???????????????????????????????????????????????50???????????????e??255.255.255.255?8-???????????????????????????????T????????????~??????f???y??C:\Program Files (x86)\VMware\VMware Workstation\vmPerfmon.dll???s????|??????.?????eme??vmPerfmon.ini????????????????????????????????????????????????????????o???,???,???????????f??????gr??????????????????????????? ?????????????????????'?,???????????????? ??(??????P???????W????(??????P???????W??????????????????????????????? ??????????? ??????????? ??????????? ????????????????????????????????????????&???????????????????????????????&???????????????????????????r???&???????????????????????????????&???????????????????????????????&???????????????????????????????&???????????????????????????????&???????????????????????????????&???????????????????????????????&???????????????????????????????&???????????????????????????????????????????????????n???????????0?1?1?1?1?2?9???7???????????????????????/???9?7?????&?????????????????????????????
Reg HKLM\SYSTEM\ControlSet002\services\LanmanServer\Linkage@Export ???r????LegacyDriver??????????????????????P??m?????????e?????????g???a??????LegacyDriver?????j???j???????????c????????X??????????????????????????????????j???i??ss???????j???????????j???j??USB??o???j?j?j???????????????????????j???????????????????????n?????????????????????s????AVG?s ??????????????????????????????????????????????????????????????System????????N??j????????D??????????j???j????N??k???4?????4?4??????????????????????????????NDProxy???????N??k????????D??4???????w??? ???????W?W????????????????????????LegacyDriver?a??????????????????????????????????????System?lve??{8ECC055D-047F-11D1-A537-0000F8753ED1}???3??????????? ?????s????????????????????????????? ???????????????????????????e???????e??????????????????????????? ??iv???????k???????????????????????????????g??????????LegacyDriver??????Z??o?????????e?????????j??????s????????j???????e???e??????????????????????????????g???LegacyDriver?v??Dhcp?????????????????????????????????????j???????????????????j???C??????????gpprefcl.dll?_??? ???????p???????????j?????
Reg HKLM\SYSTEM\ControlSet002\services\LanmanWorkstation\Linkage@Export ???h?h???????????o??????????????????????t??????????????????????????????????????g?????????????????????????h??????????@%systemroot%\system32\drivers\luafv.sys,-100???????????????t???system32\DRIVERS\mouclass.sys?ouclass.sys?????8??h????????h?????????????????????System32\drivers\mountmgr.sys?????P??s?????????n?????u?u??????????????????????\??h?????????n?????????h?????????????????????g??????b??h?????????n?????h?h?h?h?h?h?h??system32\DRIVERS\mrxsmb10.sys????????????2?g?2????P??h?????????e?????u?u?u???????????*???*????8??h????????h??????????????????2???????????e?????????nab???????h??????????????????????????????system32\DRIVERS\lltdio.sys??????u?u?u???????????????????????e???????????l???????????????????.???????????+???+??Network??????????h???0??????mrxsmb??????%SystemRoot%\system32\srvsvc.dll?????i?i?i??Pointer Class?????`??h?????????e???????????????g????NDIS????Pointer Port????FltMgr??????NDIS?/???????????????h?h?h??Link-Layer Topology Discovery Mapper I/O Driver?????rdbss????????????????????????????h?h?h?h?h?h?h?

---- EOF - GMER 1.0.15 ----

#15 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:09:41 PM

Posted 27 July 2011 - 03:39 PM

Hi tritonsmoon,

I suspect a rootkit (that's a really odd looking GMER log), and rootkits tend to hide, so since you said you aren't seeing anything else odd, that makes sense.

:step1: Please download Avira AntiRootkit and save it to your Destop.
  • You should now find a file called: antivir_rootkit_en.zip on your Desktop.
  • Extract the file to your Desktop (you may then delete the zip file).
  • You should now have a folder with Setup.exe and some other files within it on your Desktop.
  • Double-click Setup.exe.
  • Click Next.
  • Highlight the radio button to acceppt the license agreement and then click Next.
  • Then click Next and Install to finalise the installation process.
  • Click Finish (you may now also delete the folder with the extracted files from the zip archive)
You successfully installed Avira AntiRootkit!
  • Please now navigate to Start > All Programs > Avira RootKit Detection. Then select: Avira RootKit Detection
  • Click OK when a message window pops up
  • Click Start scan and let it run
  • Click View report and copy the entire contents into your next reply.

Edited by jntkwx, 27 July 2011 - 03:40 PM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users