Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect in IE8 but not Firefox


  • Please log in to reply
6 replies to this topic

#1 shimian

shimian

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 28 July 2011 - 08:31 AM

Windows XP SP3

I recently removed a Fake AV program and thought I was in the clear, but now I'm getting my Internet Explorer redirected randomly. By randomly I mean it happens 1/4 of the time when I click a link or press Home button. It doesn't seem to discriminate about going to security websites or windows update, and it brings up random ad websites.

I usually use Firefox 5, but since the virus scare Firefox has been reeeeaaaallly slow. It will go to a page and just hang for 45 seconds. The computer won't freeze, just Firefox. In Task Manager Firefox now takes about 100MB memory, so something's wrong there. Note that in Firefox, I am not getting redirected just the freezes.

My Trend Micro antivirus has been disabled and I can't seem to reactivate it, which points to a nasty infection. Here's some of the stuff I've tried so far.

RKill - didn't find/kill anything in safe mode
BitDefender removal tool for TDL4 rootkit - found nothing
Kaspersky TDSSKiller - found nothing
Trend Micro RootkitBuster - found nothing
Advanced System Care 4 - found nothing
Malwarebytes - This is wierd. Every scan picks up multiple infections and I fix them all but they keep coming back!

BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:03:59 PM

Posted 28 July 2011 - 09:32 AM

Hi shimian,

:welcome: to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum.

 

:step1: Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer Log Errors
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go . Please put code boxes around just this log, like this, but without the x: [xcode] MiniToolBox log [/xcode]

:step2: Rerun Malwarebytes (Full Scan. May take some time to complete. Please be patient.)
Open Malwarebytes, click on the Update tab, and click the check for Updates button.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

If you have trouble updating, troubleshoot Malwarebytes' Anti-Malware

:step3: Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from http://www.superantispyware.com/downloads/SASDEFINITIONS.EXE (copy and paste that website address) and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a USB drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

:step4: Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.


In your next reply, please include:
  • MiniToolBox log
  • Malwarebytes log
  • SuperAntiSpyware log
  • GMER log
  • How's your computer running now? Please provide a detailed description of any remaining problems, detailed word-for-word error messages that you are receiving, and/or screenshots of strange behavior.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#3 shimian

shimian
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 28 July 2011 - 01:09 PM

Thank you for the reply.
Unfortunately the same symptoms are there after all that scanning.


Here are my results:

MiniToolBox by Farbar 
Ran by hlee (administrator) on 28-07-2011 at 08:32:32
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= IE Proxy Settings: ============================== 

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ============================== 

"network.proxy.http", "127.0.0.1"
"network.proxy.http_port", 58586
"network.proxy.type", 0
Hosts file not detected in the default diroctory========================= IP Configuration: ================================

# ---------------------------------- 
# Interface IP Configuration         
# ---------------------------------- 
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp 
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



        Host Name . . . . . . . . . . . . : henry-pc

        Primary Dns Suffix  . . . . . . . : corp.bahs.com

        Node Type . . . . . . . . . . . . : Hybrid

        IP Routing Enabled. . . . . . . . : No

        WINS Proxy Enabled. . . . . . . . : No

        DNS Suffix Search List. . . . . . : corp.bahs.com

                                            corp.bahs.com

                                            bahs.com



Ethernet adapter Local Area Connection:



        Connection-specific DNS Suffix  . : corp.bahs.com

        Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection

        Physical Address. . . . . . . . . : 00-19-DB-80-34-D6

        Dhcp Enabled. . . . . . . . . . . : Yes

        Autoconfiguration Enabled . . . . : Yes

        IP Address. . . . . . . . . . . . : 192.168.1.164

        Subnet Mask . . . . . . . . . . . : 255.255.255.0

        Default Gateway . . . . . . . . . : 192.168.1.1

        DHCP Server . . . . . . . . . . . : 192.168.1.18

        DNS Servers . . . . . . . . . . . : 192.168.1.11

        Lease Obtained. . . . . . . . . . : Thursday, July 28, 2011 8:11:54 AM

        Lease Expires . . . . . . . . . . : Friday, August 05, 2011 8:11:54 AM

Server:  backup-dc.corp.bahs.com
Address:  192.168.1.11

DNS request timed out.
    timeout was 2 seconds.
Name:    google.com
Addresses:  74.125.224.144, 74.125.224.146, 74.125.224.148, 74.125.224.145
	  74.125.224.147



Pinging google.com [74.125.224.146] with 32 bytes of data:



Reply from 74.125.224.146: bytes=32 time=47ms TTL=53

Request timed out.



Ping statistics for 74.125.224.146:

    Packets: Sent = 2, Received = 1, Lost = 1 (50% loss),

Approximate round trip times in milli-seconds:

    Minimum = 47ms, Maximum = 47ms, Average = 47ms

Server:  backup-dc.corp.bahs.com
Address:  192.168.1.11

Name:    yahoo.com.bahs.com
Address:  208.87.33.150



Pinging yahoo.com [67.195.160.76] with 32 bytes of data:



Reply from 67.195.160.76: bytes=32 time=222ms TTL=50

Reply from 67.195.160.76: bytes=32 time=212ms TTL=50



Ping statistics for 67.195.160.76:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 212ms, Maximum = 222ms, Average = 217ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=64

Reply from 127.0.0.1: bytes=32 time<1ms TTL=64



Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 19 db 80 34 d6 ...... Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1   192.168.1.164	  20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1	  1
      192.168.1.0    255.255.255.0    192.168.1.164   192.168.1.164	  20
    192.168.1.164  255.255.255.255        127.0.0.1       127.0.0.1	  20
    192.168.1.255  255.255.255.255    192.168.1.164   192.168.1.164	  20
        224.0.0.0        240.0.0.0    192.168.1.164   192.168.1.164	  20
  255.255.255.255  255.255.255.255    192.168.1.164   192.168.1.164	  1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/28/2011 08:13:15 AM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "Intuit QuickBooks Enterprise Solutions 11.0":
Got unexpected error 5 in call to NetShareGetInfo for path \\fileserver\acct\BAHS(2).QBW

Error: (07/28/2011 08:12:42 AM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (07/28/2011 08:12:42 AM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (07/28/2011 08:12:42 AM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (07/28/2011 08:12:27 AM) (Source: UserInit) (User: )
Description: Could not execute the following script logon.bat. The system cannot find the file specified.
.

Error: (07/28/2011 08:12:24 AM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Attempt to determine whether user and machine accounts are in the same forest failed (The interface is unknown. ).

Error: (07/28/2011 08:12:24 AM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

Error: (07/28/2011 08:12:24 AM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot find the machine account, No authority could be contacted for authentication. .

Error: (07/28/2011 07:35:29 AM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (07/28/2011 07:35:29 AM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle


System errors:
=============
Error: (07/28/2011 08:27:18 AM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible. 
No attempt to contact a source will be made for 30 minutes.
NtpClient has no source of accurate time.

Error: (07/28/2011 08:13:31 AM) (Source: Service Control Manager) (User: )
Description: The Trend Micro Solution Platform service failed to start due to the following error: 
%%5

Error: (07/28/2011 08:12:24 AM) (Source: Kerberos) (User: )
Description: The kerberos subsystem encountered a PAC verification failure. 
This indicates that the PAC from the client HENRY-PC$ in realm CORP.BAHS.COM had a PAC which failed to
verify or was modified.  Contact your system administrator.

Error: (07/28/2011 08:12:18 AM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible. 
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Error: (07/28/2011 08:12:18 AM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible. 
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Error: (07/28/2011 07:46:59 AM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible. 
No attempt to contact a source will be made for 30 minutes.
NtpClient has no source of accurate time.

Error: (07/28/2011 07:34:45 AM) (Source: DCOM) (User: hlee)
Description: DCOM got error "%%1058" attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}

Error: (07/28/2011 07:34:40 AM) (Source: DCOM) (User: hlee)
Description: DCOM got error "%%1058" attempting to start the service MDM with arguments ""
in order to run the server:
{943B6A75-BB5E-41A7-A6D3-A1A5E892B33B}

Error: (07/28/2011 07:34:40 AM) (Source: DCOM) (User: hlee)
Description: DCOM got error "%%1058" attempting to start the service MDM with arguments ""
in order to run the server:
{943B6A75-BB5E-41A7-A6D3-A1A5E892B33B}

Error: (07/28/2011 07:34:32 AM) (Source: DCOM) (User: hlee)
Description: DCOM got error "%%1058" attempting to start the service MDM with arguments ""
in order to run the server:
{943B6A75-BB5E-41A7-A6D3-A1A5E892B33B}


Microsoft Office Sessions:
=========================
Error: (07/28/2011 08:13:15 AM) (Source: QuickBooks)(User: )
Description: Intuit QuickBooks Enterprise Solutions 11.0Got unexpected error 5 in call to NetShareGetInfo for path \\fileserver\acct\BAHS(2).QBW

Error: (07/28/2011 08:12:42 AM) (Source: QuickBooks)(User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (07/28/2011 08:12:42 AM) (Source: QuickBooks)(User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (07/28/2011 08:12:42 AM) (Source: QuickBooks)(User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (07/28/2011 08:12:27 AM) (Source: UserInit)(User: )
Description: logon.batThe system cannot find the file specified.

Error: (07/28/2011 08:12:24 AM) (Source: Userenv)(User: SYSTEM)SYSTEM
Description: The interface is unknown.

Error: (07/28/2011 08:12:24 AM) (Source: Userenv)(User: SYSTEM)SYSTEM
Description: 

Error: (07/28/2011 08:12:24 AM) (Source: Userenv)(User: SYSTEM)SYSTEM
Description: No authority could be contacted for authentication.

Error: (07/28/2011 07:35:29 AM) (Source: QuickBooks)(User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (07/28/2011 07:35:29 AM) (Source: QuickBooks)(User: )
Description: QuickBooksReturning NULL QBWinInstance Handle


=========================== Installed Programs ============================

7-Zip 9.20
Acrobat.com (Version: 2.0.0)
Acrobat.com (Version: 2.0.0.0)
Adobe AIR (Version: 1.5.3.9120)
Adobe Flash Player 10 ActiveX (Version: 10.0.42.34)
Adobe Flash Player 10 Plugin (Version: 10.3.181.26)
Adobe Reader 9.4.5 (Version: 9.4.5)
Advanced SystemCare 3 (Version: 3.7.3)
Broadcom Management Programs (Version: 11.67.01)
Compatibility Pack for the 2007 Office system (Version: 12.0.6514.5001)
ConvertXtoDVD 4.1.2.336 (Version: 4.1.2.336)
CPUID CPU-Z 1.56
EMCO MoveOnBoot 2.2 (Version: 2.2.6.3456)
GIMP 2.6.11 (Version: 2.6.11)
HiJackThis (Version: 1.0.0)
HP Product Detection (Version: 9.7.3)
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Java Auto Updater (Version: 2.0.2.4)
Java(TM) 6 Update 21 (Version: 6.0.210)
Malwarebytes' Anti-Malware version 1.51.1.1800 (Version: 1.51.1.1800)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Office 2003 Primary Interop Assemblies (Version: 11.0.6553.0)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Live Add-in 1.4 (Version: 2.0.3008.0)
Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0)
Microsoft Silverlight (Version: 4.0.60531.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Visual Studio 2005 Tools for Office Runtime (Version: 8.0.60940.0)
Mozilla Firefox 5.0 (x86 en-US) (Version: 5.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP2 Parser and SDK (Version: 4.20.9818.0)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
PageRage 1.10.01 (Version: 1.10.01)
QODBC Driver
QuickBooks (Version: 21.0.4006.904)
QuickBooks Enterprise Solutions 11.0 (Version: 21.0.4006.904)
QuickBooks Product Listing Service (Version: 2.0.126)
Realtek High Definition Audio Driver (Version: 5.10.0.5329)
Sophos Anti-Rootkit 1.5.4 (Version: 1.5.4)
Steam (Version: 1.0.0.0)
SupportSoft Assisted Service (Version: 15)
Trend Micro Worry-Free Business Security Agent (Version: 1.0.0)
Trend Micro Worry-Free Business Security Agent (Version: 7.0.1638)
VLC media player 1.1.9 (Version: 1.1.9)
VNC Free Edition 4.1.3 (Version: 4.1.3)
Vuze (Version: 4.6)
WebFldrs XP (Version: 9.50.7523)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Live ID Sign-in Assistant (Version: 6.500.3165.0)
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0 (Version: 04.00.6001.503)
WinRAR archiver
ZoneAlarm (Version: 9.2.106.000)

========================= Memory info: ===================================

Percentage of memory in use: 32%
Total physical RAM: 2038.42 MB
Available physical RAM: 1374.67 MB
Total Pagefile: 3409.49 MB
Available Pagefile: 2759.81 MB
Total Virtual: 2047.88 MB
Available Virtual: 1998.05 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:64.51 GB) (Free:50.58 GB) NTFS
2 Drive d: (HP_RECOVERY) (Fixed) (Total:10 GB) (Free:8.2 GB) NTFS
3 Drive h: (Data) (Network) (Total:150 GB) (Free:132.96 GB) NTFS
4 Drive m: (Data) (Network) (Total:150 GB) (Free:132.96 GB) NTFS
5 Drive n: (Data) (Network) (Total:150 GB) (Free:132.96 GB) NTFS
6 Drive p: (Data) (Network) (Total:150 GB) (Free:132.96 GB) NTFS
7 Drive q: (Data) (Network) (Total:150 GB) (Free:132.96 GB) NTFS
8 Drive s: (Data) (Network) (Total:150 GB) (Free:132.96 GB) NTFS

========================= Users: ========================================

User accounts for \\HENRY-PC

Administrator            ASPNET                   Guest                    
HelpAssistant            henry                    SUPPORT_388945a0         


== End of log == 

Malwarebytes log:

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7311

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/28/2011 10:47:41 AM
mbam-log-2011-07-28 (10-47-41).txt

Scan type: Full scan (C:\|)
Objects scanned: 252579
Time elapsed: 20 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

SuperAntiSpyware log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/28/2011 at 09:21 AM

Application Version : 4.55.1000

Core Rules Database Version : 7474
Trace Rules Database Version: 5286

Scan type : Complete Scan
Total Scan Time : 00:40:01

Memory items scanned : 627
Memory threats detected : 0
Registry items scanned : 6290
Registry threats detected : 30
File items scanned : 47588
File threats detected : 520

Rogue.Agent/Gen
HKLM\Software\Classes\CLSID\{0475C2A7-35A8-4850-9D5C-9189ED24C3Ee}
HKCR\CLSID\{0475C2A7-35A8-4850-9D5C-9189ED24C3EE}
HKCR\CLSID\{0475C2A7-35A8-4850-9D5C-9189ED24C3EE}\InprocServer32
HKCR\CLSID\{0475C2A7-35A8-4850-9D5C-9189ED24C3EE}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\AVIFILE32.DLL
HKLM\Software\Classes\CLSID\{08BB3FA9-9E14-4E20-B7DE-C8A9589A1F38}
HKCR\CLSID\{08BB3FA9-9E14-4E20-B7DE-C8A9589A1F38}
HKCR\CLSID\{08BB3FA9-9E14-4E20-B7DE-C8A9589A1F38}\InprocServer32
HKCR\CLSID\{08BB3FA9-9E14-4E20-B7DE-C8A9589A1F38}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{08EB854E-35A8-4850-9D5C-9189ED24C3Ee}
HKCR\CLSID\{08EB854E-35A8-4850-9D5C-9189ED24C3EE}
HKCR\CLSID\{08EB854E-35A8-4850-9D5C-9189ED24C3EE}\InprocServer32
HKCR\CLSID\{08EB854E-35A8-4850-9D5C-9189ED24C3EE}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{11767F53-9E14-4E20-B7DE-C8A9589A1F38}
HKCR\CLSID\{11767F53-9E14-4E20-B7DE-C8A9589A1F38}
HKCR\CLSID\{11767F53-9E14-4E20-B7DE-C8A9589A1F38}\InprocServer32
HKCR\CLSID\{11767F53-9E14-4E20-B7DE-C8A9589A1F38}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{11D70A9C-35A8-4850-9D5C-9189ED24C3Ee}
HKCR\CLSID\{11D70A9C-35A8-4850-9D5C-9189ED24C3EE}
HKCR\CLSID\{11D70A9C-35A8-4850-9D5C-9189ED24C3EE}\InprocServer32
HKCR\CLSID\{11D70A9C-35A8-4850-9D5C-9189ED24C3EE}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0475C2A7-35A8-4850-9D5C-9189ED24C3Ee}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{08BB3FA9-9E14-4E20-B7DE-C8A9589A1F38}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{08EB854E-35A8-4850-9D5C-9189ED24C3Ee}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11767F53-9E14-4E20-B7DE-C8A9589A1F38}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11D70A9C-35A8-4850-9D5C-9189ED24C3Ee}
HKU\S-1-5-21-2025429265-413027322-725345543-1621\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0475C2A7-35A8-4850-9D5C-9189ED24C3EE}
HKU\S-1-5-21-2025429265-413027322-725345543-1621\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08BB3FA9-9E14-4E20-B7DE-C8A9589A1F38}
HKU\S-1-5-21-2025429265-413027322-725345543-1621\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08EB854E-35A8-4850-9D5C-9189ED24C3EE}
HKU\S-1-5-21-2025429265-413027322-725345543-1621\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{11767F53-9E14-4E20-B7DE-C8A9589A1F38}
HKU\S-1-5-21-2025429265-413027322-725345543-1621\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{11D70A9C-35A8-4850-9D5C-9189ED24C3EE}

Adware.Tracking Cookie
C:\Documents and Settings\hlee\Cookies\hlee@shopica[2].txt
C:\Documents and Settings\hlee\Cookies\hlee@ads.bleepingcomputer[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@linksynergy[2].txt
C:\Documents and Settings\hlee\Cookies\hlee@ru4[2].txt
C:\Documents and Settings\hlee\Cookies\hlee@gotacha.rotator.hadj7.adjuggler[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@adxpose[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@server.iad.liveperson[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@liveperson[4].txt
C:\Documents and Settings\hlee\Cookies\hlee@mediaplex[2].txt
C:\Documents and Settings\hlee\Cookies\hlee@collective-media[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@stopzilla[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@adserver.adtechus[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@interclick[2].txt
C:\Documents and Settings\hlee\Cookies\hlee@liveperson[3].txt
C:\Documents and Settings\hlee\Cookies\hlee@ads.pointroll[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@www.find-fast-answers[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@content.yieldmanager[3].txt
C:\Documents and Settings\hlee\Cookies\hlee@pointroll[2].txt
C:\Documents and Settings\hlee\Cookies\hlee@bizzclick[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@ads.pointroll[2].txt
C:\Documents and Settings\hlee\Cookies\hlee@microsoftsto.112.2o7[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@lucidmedia[2].txt
C:\Documents and Settings\hlee\Cookies\hlee@revsci[2].txt
C:\Documents and Settings\hlee\Cookies\hlee@ad.yieldmanager[2].txt
C:\Documents and Settings\hlee\Cookies\hlee@solvemedia[2].txt
C:\Documents and Settings\hlee\Cookies\hlee@dmtracker[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@advertise[2].txt
C:\Documents and Settings\hlee\Cookies\hlee@kontera[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@at.atwola[2].txt
C:\Documents and Settings\hlee\Cookies\hlee@realmedia[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@adknowledge[2].txt
C:\Documents and Settings\hlee\Cookies\hlee@media6degrees[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@s.clickability[2].txt
C:\Documents and Settings\hlee\Cookies\hlee@statse.webtrendslive[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@anrtx.tacoda[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@content.yieldmanager[2].txt
C:\Documents and Settings\hlee\Cookies\hlee@in.getclicky[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@tacoda.at.atwola[2].txt
C:\Documents and Settings\hlee\Cookies\hlee@liveperson[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@richmedia.yahoo[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@ads.undertone[2].txt
C:\Documents and Settings\hlee\Cookies\hlee@ads.pubmatic[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@a1.interclick[2].txt
C:\Documents and Settings\hlee\Cookies\hlee@yieldmanager[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@xiti[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@dc.tremormedia[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@r1-ads.ace.advertising[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@legolas-media[2].txt
C:\Documents and Settings\hlee\Cookies\hlee@www.stopzilla[2].txt
C:\Documents and Settings\hlee\Cookies\hlee@tacoda[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@adinterax[2].txt
C:\Documents and Settings\hlee\Cookies\hlee@advertising[2].txt
C:\Documents and Settings\hlee\Cookies\hlee@questionmarket[2].txt
C:\Documents and Settings\hlee\Cookies\hlee@www.burstnet[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@gotacha.rotator.hadj7.adjuggler[2].txt
C:\Documents and Settings\hlee\Cookies\hlee@ad.wsod[3].txt
C:\Documents and Settings\hlee\Cookies\hlee@invitemedia[2].txt
C:\Documents and Settings\hlee\Cookies\hlee@ar.atwola[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@mediabrandsww[2].txt
C:\Documents and Settings\hlee\Cookies\hlee@content.yieldmanager[4].txt
C:\Documents and Settings\hlee\Cookies\hlee@mm.chitika[1].txt
C:\Documents and Settings\ggilman\Cookies\ggilman@ad.wsod[2].txt
C:\Documents and Settings\ggilman\Cookies\ggilman@atdmt[1].txt
.247realmedia.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.apmebf.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.mediaplex.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.247realmedia.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.specificclick.net [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.casalemedia.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.casalemedia.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.casalemedia.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.casalemedia.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.casalemedia.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.casalemedia.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.doubleclick.net [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.content.yieldmanager.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.yieldmanager.net [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.imrworldwide.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.imrworldwide.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.at.atwola.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.atwola.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.mediabrandsww.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.at.atwola.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.tacoda.at.atwola.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.tacoda.at.atwola.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.tacoda.at.atwola.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.tacoda.at.atwola.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.at.atwola.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.content.yieldmanager.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
wstat.wibiya.com [ C:\Documents and Settings\ggilman\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
C:\Documents and Settings\gvalenzuela\Cookies\gvalenzuela@2o7[1].txt
C:\Documents and Settings\gvalenzuela\Cookies\gvalenzuela@ad.wsod[2].txt
C:\Documents and Settings\gvalenzuela\Cookies\gvalenzuela@advertising[1].txt
C:\Documents and Settings\gvalenzuela\Cookies\gvalenzuela@ar.atwola[1].txt
C:\Documents and Settings\gvalenzuela\Cookies\gvalenzuela@ar.atwola[3].txt
C:\Documents and Settings\gvalenzuela\Cookies\gvalenzuela@ar.atwola[4].txt
C:\Documents and Settings\gvalenzuela\Cookies\gvalenzuela@at.atwola[1].txt
C:\Documents and Settings\gvalenzuela\Cookies\gvalenzuela@atdmt[2].txt
C:\Documents and Settings\gvalenzuela\Cookies\gvalenzuela@atwola[2].txt
C:\Documents and Settings\gvalenzuela\Cookies\gvalenzuela@doubleclick[1].txt
C:\Documents and Settings\gvalenzuela\Cookies\gvalenzuela@insightexpressai[2].txt
C:\Documents and Settings\gvalenzuela\Cookies\gvalenzuela@msnportal.112.2o7[1].txt
C:\Documents and Settings\gvalenzuela\Cookies\gvalenzuela@questionmarket[1].txt
C:\Documents and Settings\gvalenzuela\Cookies\gvalenzuela@tacoda.at.atwola[2].txt
C:\Documents and Settings\gvalenzuela\Cookies\gvalenzuela@yieldmanager[1].txt
C:\Documents and Settings\gvalenzuela\Cookies\gvalenzuela@zedo[2].txt
C:\Documents and Settings\henry\Cookies\henry@ad.wsod[2].txt
C:\Documents and Settings\henry\Cookies\henry@ad.yieldmanager[2].txt
C:\Documents and Settings\henry\Cookies\henry@atdmt[2].txt
C:\Documents and Settings\henry\Cookies\henry@bs.serving-sys[1].txt
C:\Documents and Settings\henry\Cookies\henry@fastclick[1].txt
C:\Documents and Settings\henry\Cookies\henry@interclick[2].txt
C:\Documents and Settings\henry\Cookies\henry@msnportal.112.2o7[1].txt
C:\Documents and Settings\henry\Cookies\henry@serving-sys[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@ad.wsod[2].txt
C:\Documents and Settings\hlee\Cookies\hlee@ad.yieldmanager[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@cdn4.specificclick[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@clients.pointroll[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@content.yieldmanager[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@invitemedia[1].txt
C:\Documents and Settings\hlee\Cookies\hlee@kanoodle[2].txt
C:\Documents and Settings\hlee\Cookies\hlee@ordie.adbureau[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@247realmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@247realmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@247realmedia[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@2o7[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@2o7[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@2o7[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@2o7[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@a1.interclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@a1.interclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@a1.interclick[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[7].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[8].txt
C:\Documents and Settings\NetworkService\Cookies\system@adbrite[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adbrite[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@adbrite[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@adbrite[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@adbrite[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@adinterax[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.addynamix[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.ask[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.bighealthtree[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.blogtalkradio[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.blogtalkradio[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.blogtalkradio[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.financialcontent[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.lycos[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.lycos[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pubmatic[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pubmatic[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pureleads[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.react2media[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.undertone[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.undertone[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@adserv.brandaffinity[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@adserv.brandaffinity[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adserv.brandaffinity[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@adserv.brandaffinity[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@adserver.adtechus[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@adserver.adtechus[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adserver.adtechus[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@adserver.valwa[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@adserving.ezanga[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adserving.localpages[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adtechus[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@adtechus[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adtech[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertisefirst[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertisefirst[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertising[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertising[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertising[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertising[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@adx.bidsystem[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adx.bidsystem[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@adx.bidsystem[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@adxpose[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@adxpose[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adxpose[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@andomedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@apmebf[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@apmebf[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@apmebf[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@ar.atwola[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ar.atwola[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@at.atwola[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@at.atwola[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@at.atwola[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@atwola[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@beacon.dmsinsights[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@beacon.dmsinsights[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@beacon.dmsinsights[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@bizrate[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@bs.serving-sys[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@bs.serving-sys[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@bs.serving-sys[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@burstbeacon[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@burstbeacon[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@burstbeacon[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@burstnet[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@burstnet[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@burstnet[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@casalemedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@casalemedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@cdn.jemamedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@cdn.jemamedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@cdn.jemamedia[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@cdn1.trafficmp[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@citi.bridgetrack[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@citi.bridgetrack[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@citi.bridgetrack[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@click.fastpartner[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@click.fastpartner[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@click.fastpartner[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@click.fastpartner[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@clickkick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@clickkick[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@clicks.freesearchbuddy[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@clicksor[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@clickthrough.kanoodle[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@clickthrough.kanoodle[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@clickthrough.kanoodle[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@collective-media[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@collective-media[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@collective-media[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@collective-media[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[7].txt
C:\Documents and Settings\NetworkService\Cookies\system@counter.hitslink[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@counters.gigya[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@counters.gigya[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@crackle[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@dealtime[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@digitalentertainment.122.2o7[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[7].txt
C:\Documents and Settings\NetworkService\Cookies\system@eas.apm.emediate[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@educationcom.112.2o7[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@educationcom.112.2o7[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@educationsuccess.122.2o7[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ehg-players.hitbox[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ehg-players.hitbox[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ehg-verizon.hitbox[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ehg-wss.hitbox[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@enhance[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@enhance[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@enhance[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@entrepreneur[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ev.ads.pointroll[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@eyewonder[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@fastclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@fastclick[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@fastclick[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@fastclick[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@findology[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@findology[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@googleads.g.doubleclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@googleads.g.doubleclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@gotacha.rotator.hadj7.adjuggler[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@hitbox[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@hitbox[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@hitbox[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@homestore.122.2o7[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@in.getclicky[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@in.getclicky[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@indoormedia.co[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@insightexpressai[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@insightexpressai[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@insightexpressai[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@insightexpressai[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@interclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@interclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@interclick[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@investorplacemedia.122.2o7[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@kontera[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@kontera[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@kontera[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@legolas-media[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@legolas-media[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@lucidmedia[10].txt
C:\Documents and Settings\NetworkService\Cookies\system@lucidmedia[11].txt
C:\Documents and Settings\NetworkService\Cookies\system@lucidmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@lucidmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@lucidmedia[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@lucidmedia[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@lucidmedia[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@lucidmedia[7].txt
C:\Documents and Settings\NetworkService\Cookies\system@lucidmedia[8].txt
C:\Documents and Settings\NetworkService\Cookies\system@lucidmedia[9].txt
C:\Documents and Settings\NetworkService\Cookies\system@media.twitter[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediabrandsww[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediabrandsww[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediabrandsww[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediabrandsww[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediatraffic[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediatraffic[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediatraffic[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@mm.chitika[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@mm.chitika[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@mm.chitika[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@mm.chitika[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@mtvn.112.2o7[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@mtvn.112.2o7[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@myroitracking[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@network.realmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@oasc05126.247realmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@openx.yourdailymedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@overture[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@overture[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@overture[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@p221t1s1846957.kronos.bravenetmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@p355t1s3581803.kronos.bravenetmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@pixel.invitemedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@pointroll[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@pointroll[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@pointroll[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@pro-market[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@pro-market[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@pro-market[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@pro-market[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@pro-market[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@realmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@realmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@realmedia[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@realmedia[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@revenue[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@revsci[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@revsci[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@revsci[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@ru4[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ru4[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ru4[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@ru4[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@ru4[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.321findit[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.amazeclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.boltfind[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.boltfind[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.clickcheer[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.clicksare[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.clicksclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.clicksclick[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.clicksthe[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.clicksthis[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.clicksthis[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.clickwhale[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.clickwhale[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.findsmy[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.findxml[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.findxml[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.hippofind[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.hippofind[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.orfind[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.seekfinds[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.seekfinds[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@searchnet.chitika[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@searchnet.chitika[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@server.cpmstar[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@server.cpmstar[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@specificclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@specificclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@specificclick[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@specificmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@specificmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@specificmedia[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@stat.dealtime[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@statcounter[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@statcounter[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@statcounter[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@t.pointroll[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@t.pointroll[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@t.pointroll[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@t.pointroll[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@tacoda.at.atwola[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@tacoda.at.atwola[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@tacoda.at.atwola[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@thefind[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@tracking.waterfrontmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@trafficengine[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@trafficengine[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@trafficengine[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@trafficking.nabbr[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@trafficking.nabbr[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@travelaffiliateworld.directtrack[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@tremormedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@uiadserver[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@user.lucidmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@user.lucidmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@user.lucidmedia[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@viacom.adbureau[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@viacom.adbureau[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@viacom.adbureau[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@viewablemedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@viewablemedia[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@wstat.wibiya[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.burstbeacon[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.burstbeacon[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.burstbeacon[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.burstnet[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.burstnet[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.burstnet[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.crackle[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.find-quick-results[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.find-quick-results[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.find-quick-results[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.finditquick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.finditquick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.findsearchengineresults[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.mediaquantics[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.mediaquantics[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.yourdailymedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@xml.mediality[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@xml.trafficengine[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@xml.trafficengine[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@xml.trafficengine[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@yieldmanager[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@yieldmanager[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@yieldmanager[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@yourdailymedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@zedo[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@zedo[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@zedo[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@zedo[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@zedo[5].txt

Trojan.Agent/Gen-IExplorer[Fake]
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RARSFX0\NIRD\IEXPLORE.EXE
C:\DOCUMENTS AND SETTINGS\HLEE\LOCAL SETTINGS\TEMP\RARSFX0\NIRD\IEXPLORE.EXE

Trojan.Agent/Gen-PEC
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RARSFX0\PROCS\EXPLORER.EXE
C:\DOCUMENTS AND SETTINGS\HLEE\LOCAL SETTINGS\TEMP\RARSFX0\PROCS\EXPLORER.EXE

GMER results log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-07-28 10:21:52
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST380815AS rev.3.CHF
Running: z87fztho[1].exe; Driver: C:\DOCUME~1\hlee\LOCALS~1\Temp\fgdcipog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0xA8162534]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0xA815C782]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0xA817B6DC]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0xA8162CC0]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xA8175EB4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xA81762A2]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0xA817F916]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xA8162DF6]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xA815D398]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xA817CFE4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xA817C93C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xA8174DF0]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0xA817D93C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xA817DB44]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0xA815CFAA]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xA81781CE]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenThread [0xA8177DF8]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0xA817E8D2]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xA817E208]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xA81620F4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xA817F2A4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xA81627DC]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xA815D75C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xA817EE12]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xA817C0C4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xA8176F0A]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA802C620]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C9C 80504538 12 Bytes [C0, 2C, 16, A8, B4, 5E, 17, ...]
.text ntkrnlpa.exe!ZwCallbackReturn + 2EE4 80504780 8 Bytes [D2, E8, 17, A8, 08, E2, 17, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[1404] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [A8167672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [A81674C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [A8167CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [A8165C2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [A8165C2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [A8167672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [A81674C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [A8167CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [A8167672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [A8165C2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [A8167CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [A81674C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [A8167CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [A81674C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [A8167672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [A8165C2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [A8167672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [A81674C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [A8167CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [A8167672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [A8165C2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [A8167CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [A81674C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion@Thiquhovehulatol 0x43 0x01 0x34 0x03 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB62901$\2203284629 0 bytes
File C:\WINDOWS\$NtUninstallKB62901$\3482109382 0 bytes
File C:\WINDOWS\$NtUninstallKB62901$\3482109382\@.dll 59904 bytes
File C:\WINDOWS\$NtUninstallKB62901$\3482109382\bckfg.tmp 768 bytes
File C:\WINDOWS\$NtUninstallKB62901$\3482109382\cfg.ini 77 bytes
File C:\WINDOWS\$NtUninstallKB62901$\3482109382\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB62901$\3482109382\keywords 52 bytes
File C:\WINDOWS\$NtUninstallKB62901$\3482109382\L 0 bytes
File C:\WINDOWS\$NtUninstallKB62901$\3482109382\L\vokhxobs 36352 bytes
File C:\WINDOWS\$NtUninstallKB62901$\3482109382\U 0 bytes

---- EOF - GMER 1.0.15 ----

#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:03:59 PM

Posted 28 July 2011 - 02:04 PM

Hi shimian,

:step1: Open MiniToolBox
Checkmark following boxes:
  • Flush DNS
  • Reset FF Proxy Settings
  • List IP configuration
Click Go . Please put code boxes around just this log, like this, but without the x: [xcode] MiniToolBox log [/xcode]

:step2: Please download the Kaspersky Virus Removal Tool save to your Desktop.
Be sure to print out and read the instructions provided in How to use Kaspersky virus removal tool.
  • Double-click the setup file (i.e. setup_7.0.0.290_24.06.2009_12-58.exe) to install the utility.
  • If using Vista, right-click on it and Run As Administrator.
    If you receive a UAC prompt asking if you would like to continue running the program, you should press the Continue button.
    .
  • Click Next to continue.
  • It will install by default to your desktop folder. Click Next.
  • Click Ok at the prompt for scanning in Safe Mode if you booted into safe mode.
  • A box will open with a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.
  • System Memory
  • Startup Objects
  • Disk Boot Sectors
  • My Computer
  • Any other drives (except CD-ROM drives)
  • Click on the Scan button.
  • If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • After the scan finishes, if any threats are left unneutralized in the Scan window (Red exclamation point), click the Neutralize all button.
  • In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • If advised that a special disinfection procedure is required which demands system reboot, click the Ok button to close the window.
  • In the Scan window click the Reports button, name the report AVPT.txt and select Save to file.
  • This tool should uninstall when you close it so please save the report log before closing.
  • When done, close the Kaspersky Virus Removal Tool.
  • You will be prompted if you want to uninstall the program. Click Yes.
  • You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
  • Copy and paste only the first part of the report (Detected) in your next reply. Do not include the longer list marked Events.
-- If you cannot run the Kaspersky AVP Removal Tool in normal mode, then try using it in "safe mode".

:step3: Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :dir
    %windir%\system32\ /n*.dll /t21
    %windir%\system32\ /n*.exe /t21
    
    :filefind
    hosts
    
    :reg
    HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\Internet Explorer\Main
    
    :regfind
    Uhrtumwwvv
    
  • Click the Look button to start the scan. It is normal for SystemLook to take a couple minutes to scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt



In your next reply, please include:
  • MiniToolBox log
  • Kaspersky log
  • SystemLook log
  • How's your computer running now? Please provide a detailed description of any remaining problems, detailed word-for-word error messages that you are receiving, and/or screenshots of strange behavior.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#5 shimian

shimian
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 29 July 2011 - 07:41 AM

MiniToolBox by Farbar 
Ran by hlee (administrator) on 28-07-2011 at 13:08:07
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= FF Proxy Settings: ============================== 

"network.proxy.http", "127.0.0.1"
"network.proxy.http_port", 58586
"network.proxy.type", 0
========================= IP Configuration: ================================

# ---------------------------------- 
# Interface IP Configuration         
# ---------------------------------- 
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp 
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



        Host Name . . . . . . . . . . . . : henry-pc

        Primary Dns Suffix  . . . . . . . : corp.bahs.com

        Node Type . . . . . . . . . . . . : Hybrid

        IP Routing Enabled. . . . . . . . : No

        WINS Proxy Enabled. . . . . . . . : No

        DNS Suffix Search List. . . . . . : corp.bahs.com

                                            corp.bahs.com

                                            bahs.com



Ethernet adapter Local Area Connection:



        Connection-specific DNS Suffix  . : corp.bahs.com

        Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection

        Physical Address. . . . . . . . . : 00-19-DB-80-34-D6

        Dhcp Enabled. . . . . . . . . . . : Yes

        Autoconfiguration Enabled . . . . : Yes

        IP Address. . . . . . . . . . . . : 192.168.1.164

        Subnet Mask . . . . . . . . . . . : 255.255.255.0

        Default Gateway . . . . . . . . . : 192.168.1.1

        DHCP Server . . . . . . . . . . . : 192.168.1.18

        DNS Servers . . . . . . . . . . . : 192.168.1.11

        Lease Obtained. . . . . . . . . . : Thursday, July 28, 2011 10:54:18 AM

        Lease Expires . . . . . . . . . . : Friday, August 05, 2011 10:54:18 AM

Server:  backup-dc.corp.bahs.com
Address:  192.168.1.11

Name:    google.com.bahs.com
Address:  208.87.33.150



Pinging google.com [74.125.224.84] with 32 bytes of data:




SystemLook log
SystemLook 04.09.10 by jpshortstuff
Log created at 04:48 on 29/07/2011 by hlee
Administrator - Elevation successful

========== dir ==========

C:\WINDOWS\system32 - Parameters: "/n*.dll /t21"

---Files---
vsdata.dll --a---- 112128 bytes [17:55 27/07/2011] [08:24 18/03/2011]
vsinit.dll --a---- 228864 bytes [17:55 27/07/2011] [08:24 18/03/2011]
vsmonapi.dll --a---- 108032 bytes [17:56 27/07/2011] [08:24 18/03/2011]
vspubapi.dll --a---- 302592 bytes [17:56 27/07/2011] [08:24 18/03/2011]
vsregexp.dll --a---- 58368 bytes [17:56 27/07/2011] [08:24 18/03/2011]
vsutil.dll --a---- 715264 bytes [17:55 27/07/2011] [08:24 18/03/2011]
vswmi.dll --a---- 43008 bytes [17:56 27/07/2011] [08:24 18/03/2011]
vsxml.dll --a---- 110080 bytes [17:56 27/07/2011] [08:24 18/03/2011]
zlcomm.dll --a---- 69120 bytes [17:56 27/07/2011] [08:24 18/03/2011]
zlcommdb.dll --a---- 104448 bytes [17:56 27/07/2011] [08:24 18/03/2011]
zpeng25.dll --a---- 1238528 bytes [17:56 27/07/2011] [08:24 18/03/2011]

---Folders---
1025 d------ [18:15 18/12/2009]
1028 d------ [18:15 18/12/2009]
1031 d------ [18:15 18/12/2009]
1033 d------ [18:15 18/12/2009]
1037 d------ [18:15 18/12/2009]
1041 d------ [18:15 18/12/2009]
1042 d------ [18:15 18/12/2009]
1054 d------ [18:15 18/12/2009]
2052 d------ [18:15 18/12/2009]
3076 d------ [18:15 18/12/2009]
3com_dmi d------ [18:15 18/12/2009]
appmgmt d------ [17:16 26/02/2010]
ar-SA d------ [08:41 19/12/2009]
CatRoot d------ [18:21 18/12/2009]
CatRoot2 d------ [18:21 18/12/2009]
Com d------ [07:40 19/12/2009]
config d------ [18:15 18/12/2009]
da-DK d------ [08:41 19/12/2009]
de-DE d------ [08:41 19/12/2009]
dhcp d------ [18:15 18/12/2009]
DirectX d------ [07:42 19/12/2009]
dllcache dr-hsc- [18:15 18/12/2009]
drivers d------ [18:15 18/12/2009]
DRVSTORE d----c- [08:15 19/12/2009]
el-GR d------ [08:41 19/12/2009]
en d------ [18:15 18/12/2009]
en-US d------ [07:40 19/12/2009]
es-ES d------ [08:41 19/12/2009]
export d------ [18:15 18/12/2009]
fi-FI d------ [08:41 19/12/2009]
fr-FR d------ [08:41 19/12/2009]
GroupPolicy d------ [08:31 19/12/2009]
he-IL d------ [08:41 19/12/2009]
ias d------ [18:15 18/12/2009]
icsxml d------ [18:15 18/12/2009]
IME d------ [18:15 18/12/2009]
inetsrv d------ [18:15 18/12/2009]
it-IT d------ [08:41 19/12/2009]
ko-KR d------ [08:41 19/12/2009]
Lang d------ [08:17 19/12/2009]
LogFiles d------ [08:27 19/12/2009]
Macromed d------ [07:42 19/12/2009]
Microsoft d---s-- [07:54 19/12/2009]
MsDtc d------ [07:40 19/12/2009]
mui d------ [18:15 18/12/2009]
nb-NO d------ [08:41 19/12/2009]
nl-NL d------ [08:41 19/12/2009]
npp d------ [18:15 18/12/2009]
oobe d------ [18:15 18/12/2009]
PreInstall d------ [08:16 19/12/2009]
pt-BR d------ [08:41 19/12/2009]
ras d------ [18:15 18/12/2009]
ReinstallBackups d------ [08:15 19/12/2009]
Restore d------ [07:41 19/12/2009]
RTCOM d------ [08:13 19/12/2009]
scripting d------ [18:15 18/12/2009]
Setup d------ [18:15 18/12/2009]
ShellExt d------ [18:15 18/12/2009]
SoftwareDistribution d------ [08:06 19/12/2009]
spool d------ [18:15 18/12/2009]
sv-SE d------ [08:41 19/12/2009]
tr-TR d------ [08:41 19/12/2009]
URTTemp d------ [08:26 19/12/2009]
usmt d------ [18:15 18/12/2009]
wbem d------ [18:15 18/12/2009]
windowspowershell d------ [18:08 19/12/2009]
winrm d------ [14:56 29/04/2011]
wins d------ [18:15 18/12/2009]
xircom d------ [07:44 19/12/2009]
XPSViewer d------ [08:36 19/12/2009]
zh-HK d------ [08:41 19/12/2009]
zh-TW d------ [08:41 19/12/2009]
ZoneLabs d------ [17:56 27/07/2011]

C:\WINDOWS\system32 - Parameters: "/n*.exe /t21"

---Files---
MRT.exe --a---- 49089992 bytes [17:16 19/12/2009] [17:38 27/07/2011]

---Folders---
1025 d------ [18:15 18/12/2009]
1028 d------ [18:15 18/12/2009]
1031 d------ [18:15 18/12/2009]
1033 d------ [18:15 18/12/2009]
1037 d------ [18:15 18/12/2009]
1041 d------ [18:15 18/12/2009]
1042 d------ [18:15 18/12/2009]
1054 d------ [18:15 18/12/2009]
2052 d------ [18:15 18/12/2009]
3076 d------ [18:15 18/12/2009]
3com_dmi d------ [18:15 18/12/2009]
appmgmt d------ [17:16 26/02/2010]
ar-SA d------ [08:41 19/12/2009]
CatRoot d------ [18:21 18/12/2009]
CatRoot2 d------ [18:21 18/12/2009]
Com d------ [07:40 19/12/2009]
config d------ [18:15 18/12/2009]
da-DK d------ [08:41 19/12/2009]
de-DE d------ [08:41 19/12/2009]
dhcp d------ [18:15 18/12/2009]
DirectX d------ [07:42 19/12/2009]
dllcache dr-hsc- [18:15 18/12/2009]
drivers d------ [18:15 18/12/2009]
DRVSTORE d----c- [08:15 19/12/2009]
el-GR d------ [08:41 19/12/2009]
en d------ [18:15 18/12/2009]
en-US d------ [07:40 19/12/2009]
es-ES d------ [08:41 19/12/2009]
export d------ [18:15 18/12/2009]
fi-FI d------ [08:41 19/12/2009]
fr-FR d------ [08:41 19/12/2009]
GroupPolicy d------ [08:31 19/12/2009]
he-IL d------ [08:41 19/12/2009]
ias d------ [18:15 18/12/2009]
icsxml d------ [18:15 18/12/2009]
IME d------ [18:15 18/12/2009]
inetsrv d------ [18:15 18/12/2009]
it-IT d------ [08:41 19/12/2009]
ko-KR d------ [08:41 19/12/2009]
Lang d------ [08:17 19/12/2009]
LogFiles d------ [08:27 19/12/2009]
Macromed d------ [07:42 19/12/2009]
Microsoft d---s-- [07:54 19/12/2009]
MsDtc d------ [07:40 19/12/2009]
mui d------ [18:15 18/12/2009]
nb-NO d------ [08:41 19/12/2009]
nl-NL d------ [08:41 19/12/2009]
npp d------ [18:15 18/12/2009]
oobe d------ [18:15 18/12/2009]
PreInstall d------ [08:16 19/12/2009]
pt-BR d------ [08:41 19/12/2009]
ras d------ [18:15 18/12/2009]
ReinstallBackups d------ [08:15 19/12/2009]
Restore d------ [07:41 19/12/2009]
RTCOM d------ [08:13 19/12/2009]
scripting d------ [18:15 18/12/2009]
Setup d------ [18:15 18/12/2009]
ShellExt d------ [18:15 18/12/2009]
SoftwareDistribution d------ [08:06 19/12/2009]
spool d------ [18:15 18/12/2009]
sv-SE d------ [08:41 19/12/2009]
tr-TR d------ [08:41 19/12/2009]
URTTemp d------ [08:26 19/12/2009]
usmt d------ [18:15 18/12/2009]
wbem d------ [18:15 18/12/2009]
windowspowershell d------ [18:08 19/12/2009]
winrm d------ [14:56 29/04/2011]
wins d------ [18:15 18/12/2009]
xircom d------ [07:44 19/12/2009]
XPSViewer d------ [08:36 19/12/2009]
zh-HK d------ [08:41 19/12/2009]
zh-TW d------ [08:41 19/12/2009]
ZoneLabs d------ [17:56 27/07/2011]

========== filefind ==========

Searching for "hosts"
C:\I386\HOSTS --a---- 734 bytes [17:19 19/12/2009] [12:00 14/04/2008] DE1CBFE6C3086010AF115A1F00909B01

========== reg ==========

[HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\Internet Explorer\Main]
"NoUpdateCheck"= 0x0000000001 (1)
"NoJITSetup"= 0x0000000001 (1)
"Disable Script Debugger"="no"
"Anchor Underline"="yes"
"Cache_Update_Frequency"="Once_Per_Session"
"Display Inline Images"="yes"
"Do404Search"=01 00 00 00 (REG_BINARY)
"Local Page"="C:\WINDOWS\system32\blank.htm"
"Save_Session_History_On_Exit"="no"
"Show_FullURL"="no"
"Show_StatusBar"="yes"
"Show_ToolBar"="yes"
"Show_URLinStatusBar"="yes"
"Show_URLToolBar"="yes"
"Use_DlgBox_Colors"="yes"
"Search Page"="http://go.microsoft.com/fwlink/?LinkId=54896"
"XMLHTTP"= 0x0000000001 (1)
"UseClearType"="yes"
"Enable Browser Extensions"="yes"
"Play_Background_Sounds"="yes"
"Play_Animations"="yes"
"Start Page"="http://www.yahoo.com/"
"CompatibilityFlags"= 0x0000000000 (0)
"FullScreen"="no"
"Window_Placement"=2c 00 00 00 02 00 00 00 03 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff cb 00 00 00 00 00 00 00 e9 03 00 00 95 02 00 00 (REG_BINARY)
"Start Page Redirect Cache"="http://www.msn.com/"
"Start Page Redirect Cache_TIMESTAMP"=d2 ed 06 07 3b 82 ca 01 (REG_BINARY)
"Start Page Redirect Cache AcceptLangs"="en-us"
"IE8RunOnceLastShown"= 0x0000000001 (1)
"IE8RunOnceLastShown_TIMESTAMP"=a6 48 a0 0b 3b 82 ca 01 (REG_BINARY)
"IE8RunOncePerInstallCompleted"= 0x0000000001 (1)
"IE8RunOnceCompletionTime"=b6 59 f4 20 3b 82 ca 01 (REG_BINARY)
"IE8TourShown"= 0x0000000001 (1)
"IE8TourShownTime"=7a 0d fb 20 3b 82 ca 01 (REG_BINARY)
"NotifyDownloadComplete"="no"
"Use FormSuggest"="no"
"FormSuggest PW Ask"="no"
"Check_Associations"="no"
"StatusBarWeb"= 0x0000000001 (1)
"AlwaysShowMenus"= 0x0000000001 (1)
"Save Directory"="C:\Documents and Settings\hlee\Desktop\"
"Friendly http errors"="no"
"Print_Background"="no"
"SmoothScroll"= 0x0000000000 (0)
"Use StyleSheets"="yes"
"XMLHTTP_UUID_Default"=a7 c2 75 04 a8 35 50 48 9d 5c 91 89 ed 24 c3 ee (REG_BINARY)
"SSLTLSTokens"=06 00 00 00 18 00 00 00 31 71 74 71 58 4a 67 37 38 72 50 73 62 52 6e 2b 38 33 4c 35 64 51 3d 3d 00 00 00 00 00 00 00 00 00 00 00 00 18 00 00 00 30 36 35 33 52 35 6b 69 39 36 7a 71 63 42 2f 68 2b 32 2b 77 50 4c 77 3d 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 32 61 70 71 57 4a 38 37 39 4c 54 31 63 68 76 35 37 44 75 77 00 00 00 00 00 00 00 00 00 00 00 00 18 00 00 00 6f 56 62 6b 51 4e 4d 37 57 58 42 31 71 38 42 63 48 76 2f 51 77 63 55 3d 00 00 00 00 00 00 00 00 00 00 00 00 18 00 00 00 70 46 50 35 57 39 49 69 58 47 39 7a 74 73 5a 43 45 65 4b 5a 69 41 3d 3d 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 71 31 4c 35 58 39 55 69 57 6d 68 71 71 63 52 45 43 61 76 51 00 00 00 00 00 00 00 00 00 00 00 00 (REG_BINARY)
"ControlTooltipCount"= 0x0000000005 (5)

[HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\Internet Explorer\Main\Default Feeds]

[HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\Internet Explorer\Main\FeatureControl]

[HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\Internet Explorer\Main\WindowsSearch]


========== regfind ==========

Searching for "Uhrtumwwvv"
No data found.

-= EOF =-

Current condition

The Internet Explorer doesn't seem to be redirecting anymore. I only checked it for a few minutes but it seems to be working :thumbsup:

I uninstalled Firefox and reinstalled a newer version (since it only takes about 2 minutes) and it seems to have fixed the freeze ups.

Now the only problem (and it's a big one) is that my anti virus still won't start up. It should start when Windows starts, but it doesn't and when I click the shortcut nothing happens. I am unable to uninstall it through add/remove programs either since it just gives me an error. I looked into the msconfig for my computer and I under "services" I see the antivirus there, but it is "stopped." I am unable to re-enable it. I may have to contact the manufacturer about this one.

I'm using Trend Micro Worry-Free Business Security Agent 7.0 by the way.

Post is too long, I'll try to post the Kaspersky log in another post.
Edit: I couldn't post the Kaspersky log. It's 32 MB and I couldn't find any "detected" section to crop. When I running the program it didn't detect any threats. Please let me know if I'm doing it wrong.

Edited by shimian, 29 July 2011 - 07:46 AM.


#6 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:03:59 PM

Posted 29 July 2011 - 09:38 AM

I take it this is a business computer?

If so, I strongly recommend you to ask your IT suppport/network Administrator to fix this. After all they are paid to do so.

I ask this for several reasons:
  • There may be restrictions and modifications installed on such machines that could be damaged or altered by the actions we take to remove Malware.
  • Any infection could jump terminals in a computer network.
  • There may also be legal issues regarding any loss of business data that I do not wish to deal with.
  • Some people who come here use their computers for work, and the computers may contain the patient records of a physician or the financial records of an accountant's clients or credit card and bank account information of their employer's customers.
  • There may be tremendous risks and legal liability for such users for not fully securing the computer. We will not know this unless we ask. We do not want to be accidentally putting those we help in vulnerable positions for law suits.
  • Business factors outweigh technical factors in making the reformat and reinstall decision. Sometimes friends give missing CDs or lack of expertise as a reason for not doing a reformat and reinstall.
  • The cost of replacing missing Windows XP and MS Office CDs and getting an Microsoft Certified Systems Engineer to come in for 3 hours to do the reinstall and apply all the critical updates, is trivial compared with the potential cost of a multi-million dollar lawsuit for breach of trust if confidential client or patient information is disclosed.
  • In specific situations where highly confidential information about others is on the computer, and a backdoor virus or trojan is found, we are helping people more by identifying that they have a backdoor trojan which puts them in a particularly vulnerable situation and sending them to seek local professional help from a Microsoft Certified Systems Engineer or Certified Information Systems Security Professional or Global Information Assurance Certification Certified Security Expert or Certified Computing Professional or Internet Service Provider than we would be trying to fully resolve their problems long distance.


If you do not have a IT Department / you are the IT department and need assistance cleaning the computer up, please proceed with the following below:

With the information you have provided I believe you will need help from the malware removal team. I would like you to start a new thread HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and please be patient. There is currently a large backlog of people being helped. It may take several days for someone to respond.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#7 shimian

shimian
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 29 July 2011 - 11:04 AM

This is a business computer, but it's a small business with no IT department. I have to handle this kind of stuff myself. I'm looking at reformatting the computer as a last resort.

I have posted a new thread in the suggested forum and will await a reply. Thank you for your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users