Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adware/popup Mess


  • This topic is locked This topic is locked
39 replies to this topic

#1 perro406

perro406

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 29 May 2006 - 04:31 PM

Hey guys, first off, a preemptive thanks to anyone who helps me out on this one. The last few days my computer has been afflicted with a plethora of nasty adware crap. I've managed to root most of it out, and it seems as though i've gotten rid of Zeno, SurfSideKick, and a few other big ones. However, there is still something out there that I can't get rid of. I'm not sure what it is exactly. Ad-Aware can't completely root out the mess; it's still getting dozens of objects every time I run it. I've never been a big SpyBot fan, and it's continuing to impress.....crashes halfway through the search every time, and if i stop it when its partially done and try to "fix" the few things it's found, it just closes itself without so much as an error message....no help there. Stinger and antivirus havent turned up anything. As for the actual problem itself, it's just popups more or less. There seems to be a pattern to it; it looks like they pop up in groups of 5 or 6. If i close them all, it doesnt instantly repopulate them, it waits 5-10 minutes then brings in another group. No big deal when i'm using the comp, but when its asleep these build up and bring it to a grinding halt. Also, don't know if it's related or not, but around when this happens, microsoft word configuration window opens up wanting to install some plugins for Word. Very weird. I'm pretty sure that i have a trojan of some kind. Also whatever network monitor is, that's what adaware won't get rid of. So that's pretty much all the info I can think of now. I'd appreciate any help you can give me. I'm no expert but certainly not a novice user; either way this has me stumped. Here are the goods:




Logfile of HijackThis v1.99.1
Scan saved at 5:11:25 PM, on 5/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\ASKS~1\msdtc.exe
C:\WINDOWS\??sks\e?plorer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\DC++\DCPlusPlus.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\drwtsn32.exe
C:\WINDOWS\krbcc32s.exe
C:\WINDOWS\SIDECAR.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\DOCUME~1\COLLIN~1.COL\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\COLLIN~1.COL\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Desktop\stng260.exe

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\aioeh.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,levirnt.exe
O1 - Hosts: 216.180.250.106 www.halifax-online.co.uk
O1 - Hosts: 216.180.250.106 ibank.barclays.co.uk
O1 - Hosts: 216.180.250.106 online.lloydstsb.co.uk
O1 - Hosts: 216.180.250.106 online-business.lloydstsb.co.uk
O1 - Hosts: 216.180.250.106 www.ukpersonal.hsbc.co.uk
O1 - Hosts: 216.180.250.106 banesnet.banesto.es
O1 - Hosts: 216.180.250.106 extranet.banesto.es
O1 - Hosts: 216.180.250.106 ebanking.bccbrescia.it
O1 - Hosts: 216.180.250.106 www.bankofscotlandhalifax-online.co.uk
O1 - Hosts: 216.180.250.106 oi.cajamadrid.es
O1 - Hosts: 216.180.250.106 bancae.caixapenedes.com
O1 - Hosts: 216.180.250.106 banking.postbank.de
O1 - Hosts: 216.180.250.106 meine.deutsche-bank.de
O1 - Hosts: 216.180.250.106 myonlineaccounts2.abbeynational.co.uk
O1 - Hosts: 216.180.250.106 ibank.cahoot.com
O1 - Hosts: 216.180.250.106 webbank.openplan.co.uk
O1 - Hosts: 216.180.250.106 bancopostaonline.poste.it
O1 - Hosts: 216.180.250.106 mybank.bybank.it
O1 - Hosts: 216.180.250.106 ibank.internationalbanking.barclays.com
O1 - Hosts: 216.180.250.106 welcome7.co-operativebank.co.uk
O1 - Hosts: 216.180.250.106 welcome11.co-operativebankonline.co.uk
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Microsoft IIS] C:\WINDOWS\system32\syshost.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard24.exe
O4 - HKLM\..\Run: [newname] C:\\newname24.exe
O4 - HKLM\..\Run: [w00127e6.dll] RUNDLL32.EXE w00127e6.dll,I2 0011ac68000127e6
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Wsth] "C:\WINDOWS\System32\ASKS~1\msdtc.exe" -vt yazb
O4 - HKCU\..\Run: [Rxdjhj] C:\WINDOWS\??sks\e?plorer.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000228.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\hr2s05f7e.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

BC AdBot (Login to Remove)

 


#2 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 30 May 2006 - 08:54 AM

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

Please read this post completely before begining. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


* * * * * *


Posted Image
  • Download and run - bfu.zip
  • Checkmark the following boxes:
    • Use settings specified in script for the above option
    • Show log after script ends
  • Click the Web button located on the top right corner
  • Copy/Paste this url into the address bar of the Download script window:

    http://metallica.geekstogo.com/alcanshorty.bfu

  • Execute the script by clicking the Execute button.
  • When it finishes running, click the Save button for a copy of the log
  • Post the log created by the script when you have completed the fix
* * * * * *


Download this file - Combofix.zip
From within it, double click on combo.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply


* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


Download & install CleanUp.exe (not recommended for WinXP64)

Download and install Ewido Security Suite
  • When installing, under "Additional Options",
    • uncheck - Install background guard
  • Have Ewido update itself & then exit the program.
If you are having problems with the updater, you can use this link to manually update Ewido

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downloading.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.


* * * * * * DISABLING SERVICES * * * * * * * * * * * * * * * * *


Click Start -> Run - type SERVICES.MSC & then click on the OK button
  • Locate the service - Network Monitor
  • Double-click on it to open the Properties dialog.
    - Change the Startup type to Disabled & then click on the Apply button
    - Stop the service by using the Stop button.
  • Then start HiJackThis & go to Config... -> Misc.Tools -> Delete an NT service
  • In the popup box that appears, copy/paste Network Monitor
  • Click on the OK button & answer No if prompted to reboot
* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


HijackThis is able to create backups whenever if fixes any entry. These are stored in a subfolder called backups. As such, we advise against placing the program in any temporary folders. Please create a new directory, C:\Program Files\HijackThis\, and re-locate the program & it's associate files there.


Do a HijackThis scan & place a check next to these items and select "Fix checked":

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O1 - Hosts: 216.180.250.106 www.halifax-online.co.uk
O1 - Hosts: 216.180.250.106 ibank.barclays.co.uk
O1 - Hosts: 216.180.250.106 online.lloydstsb.co.uk
O1 - Hosts: 216.180.250.106 online-business.lloydstsb.co.uk
O1 - Hosts: 216.180.250.106 www.ukpersonal.hsbc.co.uk
O1 - Hosts: 216.180.250.106 banesnet.banesto.es
O1 - Hosts: 216.180.250.106 extranet.banesto.es
O1 - Hosts: 216.180.250.106 ebanking.bccbrescia.it
O1 - Hosts: 216.180.250.106 www.bankofscotlandhalifax-online.co.uk
O1 - Hosts: 216.180.250.106 oi.cajamadrid.es
O1 - Hosts: 216.180.250.106 bancae.caixapenedes.com
O1 - Hosts: 216.180.250.106 banking.postbank.de
O1 - Hosts: 216.180.250.106 meine.deutsche-bank.de
O1 - Hosts: 216.180.250.106 myonlineaccounts2.abbeynational.co.uk
O1 - Hosts: 216.180.250.106 ibank.cahoot.com
O1 - Hosts: 216.180.250.106 webbank.openplan.co.uk
O1 - Hosts: 216.180.250.106 bancopostaonline.poste.it
O1 - Hosts: 216.180.250.106 mybank.bybank.it
O1 - Hosts: 216.180.250.106 ibank.internationalbanking.barclays.com
O1 - Hosts: 216.180.250.106 welcome7.co-operativebank.co.uk
O1 - Hosts: 216.180.250.106 welcome11.co-operativebankonline.co.uk
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O4 - HKLM\..\Run: [Microsoft IIS] C:\WINDOWS\system32\syshost.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard24.exe
O4 - HKLM\..\Run: [newname] C:\\newname24.exe
O4 - HKLM\..\Run: [w00127e6.dll] RUNDLL32.EXE w00127e6.dll,I2 0011ac68000127e6
O4 - HKCU\..\Run: [Wsth] "C:\WINDOWS\System32\ASKS~1\msdtc.exe" -vt yazb
O4 - HKCU\..\Run: [Rxdjhj] C:\WINDOWS\??sks\e?plorer.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000228.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\hr2s05f7e.dll (file missing)



* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * UN-INSTALLING PROGRAMS * * * * * * * * * * * * * *


Go to Start -> Control Panel -> Add or Remove Programs and uninstall the following programs:
  • Purity Scan /Snowball Wars by OIN
    New Net \NewDotNet
Please note any other programs that you dont recognize in that list in your next response


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.
  • Tick - 'Show hidden files and folder'
  • Untick - 'Hide file extensions for known types'
  • Untick - 'Hide protected operating system files'
  • Click Yes to confirm & then click OK
Locate and delete the following files/folders: (let me know if you fail to find/delete any)
  • C:\WINDOWS\krbcc32s.exe
    C:\Program Files\DNS\
    C:\WINDOWS\system32\syshost.exe
    C:\keyboard24.exe
    C:\newname24.exe
    C:\WINDOWS\system32\w00127e6.dll
    C:\Program Files\Common Files\mc-110-12-0000228.exe
    C:\Program Files\Network Monitor\
    C:\WINDOWS\System32\TASKS\
Note:
Be careful with this next folder. here should be 2 folders named Tasks in the windows directory. If you see one only, do not delete it. The malware folder can be identified by the presence of this file within - e?plorer.exeC:\WINDOWS\Tasks\
* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Delete Cookies
4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!


* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *


Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  • HiJackThis log
  • Combofix's log
  • Online Scan
  • Ewido
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

Edited by sUBs, 30 May 2006 - 08:56 AM.


#3 perro406

perro406
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 30 May 2006 - 08:16 PM

First off, thanks again for the help. I really appreciated the fast and thorough reply. It's great that there are people out there willing to dedicate their time to other folks' problems.

That said, I followed your instructions as best as I could (explanation forthcoming) and it didnt seem to solve the problem. I will go through it step by step.


First, Brute Force Uninstaller. I DL'ed it and ran it.....got to 91 percent then froze. Rebooted. 91 percent. Froze. Same story about a half dozen times. :thumbsup:

Second, ComboFix. All this did on my computer was open a window that looked vaguely DOS-esque with a blue background and flashing yellow cursor. Nothing else. No prompts, no text, nothing. No keystrokes seemed to stimulate it to action at all.

Next, network monitor was not present as a service. I seem to remember getting rid of it yesterday in some meddling that I did after my original post....so hopefully it's gone.

Used HJT to get rid of what was left of those things that you said to fix. Again, not all were there, assuming i got rid of them somehow yesterday.

Deleted the directories and files you mentioned, with the exceptions of: C:\keyboard24.exe,
C:\newname24.exe, and C:\Program Files\Common Files\mc-110-12-0000228.exe, which were not present.

Cleanup freed up a couple gigs of HD space....nice, i guess i should clean that crap out more often.

Ewido and Kaspersky still turned up a lot of stuff, seems like my computer is still pretty hot right now. I'm getting plenty of popups and its running slow, though i dare say its more stable than it was before. I'm certainly not in the clear just yet.


Also, i dont know if this is related but i am getting errors from HJT when i run it. Error 62, input past end of file. I dont know if this is just a garden variety error or something malicious, but it does seem strange.


Anyhow here are the logs:


HJT LOG:
Logfile of HijackThis v1.99.1
Scan saved at 9:09:49 PM, on 5/30/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\aioeh.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,levirnt.exe
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe




No log from combofix, did not work.




Online Scan Log:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, May 30, 2006 9:00:00 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 31/05/2006
Kaspersky Anti-Virus database records: 197307
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 186436
Number of viruses found: 57
Number of infected objects: 267
Number of suspicious objects: 0
Duration of the scan process: 01:16:06

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\068C0000.VBN Infected: Exploit.HTML.Mht skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C0000.VBN Infected: Trojan.JS.Offiz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C0001.VBN Infected: Trojan.JS.Offiz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C0002.VBN Infected: Trojan.JS.Offiz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C0003.VBN Infected: Trojan.JS.Offiz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C0004.VBN Infected: Trojan.JS.Offiz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C0005.VBN Infected: Trojan.JS.Offiz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C0006.VBN Infected: Trojan.JS.Offiz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C0007.VBN Infected: Trojan.JS.Offiz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C0008.VBN Infected: Trojan.JS.Offiz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C0009.VBN Infected: Trojan.JS.Offiz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C000A.VBN Infected: Trojan.JS.Offiz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C000B.VBN Infected: Trojan.JS.Offiz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C000C.VBN Infected: Trojan.JS.Offiz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C000D.VBN Infected: Trojan.JS.Offiz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C000E.VBN Infected: Trojan.JS.Offiz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C000F.VBN Infected: Trojan.JS.Offiz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C0010.VBN Infected: Trojan.JS.Offiz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C0011.VBN Infected: Trojan.JS.Offiz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C0012.VBN Infected: Trojan.JS.Offiz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C0013.VBN Infected: Trojan.JS.Offiz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C0014.VBN Infected: Trojan.JS.Offiz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C0015.VBN Infected: Trojan.JS.Offiz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C0016.VBN Infected: Trojan.JS.Offiz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C0017.VBN Infected: Trojan.JS.Offiz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C0018.VBN Infected: Trojan.JS.Offiz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C0019.VBN Infected: Trojan.JS.Offiz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C001A.VBN Infected: Trojan.JS.Offiz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\080C001B.VBN Infected: Trojan.JS.Offiz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AEC0000.VBN Infected: Backdoor.Win32.Agent.jn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AEC0001.VBN Infected: Backdoor.Win32.Agent.jn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AEC0002.VBN Infected: Backdoor.Win32.Agent.jn skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP223\A0029093.dll Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP223\A0029102.exe Infected: Trojan-Downloader.Win32.Adload.bo skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP223\A0030103.exe Infected: Trojan-Downloader.Win32.Adload.bo skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP223\A0030104.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP223\A0030106.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP223\A0031104.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP223\A0031350.dll Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP223\A0032101.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP223\A0032103.exe Infected: Trojan-Downloader.Win32.Adload.br skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP223\A0033099.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP223\A0036096.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP223\A0036100.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP223\A0036101.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP223\A0036102.dll Infected: Trojan-Downloader.Win32.Agent.agw skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP223\A0036104.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP223\A0036111.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP223\A0036112.exe Infected: Trojan-Dropper.Win32.Small.qn skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP223\A0036113.exe Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP223\A0036114.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP223\A0036115.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP223\A0036116.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP223\A0036117.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP223\A0036119.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP223\A0036120.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP223\A0036121.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP223\A0036122.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP223\A0036123.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP223\A0036128.exe Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP224\A0037124.exe Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP225\A0038119.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP225\A0038120.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP225\A0038121.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP225\A0038122.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP225\A0038127.exe Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP225\A0038129.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP225\A0038131.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP225\snapshot\MFEX-3.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP225\snapshot\MFEX-4.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP225\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0038172.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0038173.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0038174.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0038174.exe/data.rar/whSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0038174.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0038174.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0038174.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0038174.exe RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0038176.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0038177.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0038178.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0038180.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0038181.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0038187.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0038188.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0038189.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0038190.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0038195.exe Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0038197.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0038199.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0038206.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0038211.exe Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0038212.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0038214.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0039209.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0039210.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0039238.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0040210.exe Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0040211.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0040213.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0040218.dll Infected: not-a-virus:AdWare.Win32.SurfSide.at skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0040219.dll Infected: not-a-virus:AdWare.Win32.SurfSide.at skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0040220.exe Infected: not-a-virus:AdWare.Win32.SurfSide.ao skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0040221.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.at skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0040221.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.at skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0040221.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.ao skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0040221.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.ap skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0040221.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.ap skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0040221.exe CAB: infected - 5 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0040223.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0040224.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0040225.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0040226.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0040227.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ap skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0040228.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0040233.exe Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0040234.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0040236.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0040242.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0040245.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0040248.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0041223.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0041224.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0041225.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0041226.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0041227.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0041232.exe Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0041234.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0041236.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0041243.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0041243.exe/data.rar/whSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0041243.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0041243.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0041243.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0041243.exe RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP226\A0041245.dll Infected: not-a-virus:AdWare.Win32.RK.e skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP227\snapshot\MFEX-1.DAT Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP227\snapshot\MFEX-8.DAT Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0041427.exe Infected: Backdoor.Win32.SdBot.xd skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0042223.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0042224.exe Infected: not-a-virus:AdWare.Win32.RK.f skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0042551.exe Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0042552.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0042554.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0043223.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0043224.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0043225.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0043230.exe Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0043231.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0043233.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0044227.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0044228.exe Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0044230.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0045227.exe Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0045228.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0045230.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046227.exe Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046228.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046230.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046236.exe/data0006 Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046236.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046236.exe UPX: infected - 1 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046236.exe PE_Patch.UPX: infected - 1 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046237.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046237.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046237.exe UPX: infected - 1 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046237.exe PE_Patch.UPX: infected - 1 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046239.exe Infected: Trojan-Downloader.Win32.Adload.bt skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046240.exe Infected: Trojan-Downloader.Win32.Adload.bq skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046241.exe Infected: Trojan-Downloader.Win32.Adload.bq skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046242.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046243.exe Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046244.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046244.exe/data.rar/whSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046244.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046244.exe RarSFX: infected - 3 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046245.exe Infected: Backdoor.Win32.VB.ary skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046246.exe Infected: Backdoor.Win32.VB.ary skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046247.exe Infected: Backdoor.Win32.VB.ary skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046248.exe Infected: Trojan-Clicker.Win32.VB.no skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046249.exe Infected: Trojan-Downloader.Win32.VB.adw skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046250.exe Infected: Trojan-Downloader.Win32.VB.adw skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046251.exe Infected: Trojan-Clicker.Win32.VB.ly skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046252.exe Infected: Trojan-Downloader.Win32.VB.adw skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046253.exe Infected: Trojan-Clicker.Win32.VB.ly skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046254.exe Infected: Trojan-Downloader.Win32.Small.cpu skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046255.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046256.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046257.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.q skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046258.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0046259.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0048483.exe Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0048484.exe Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0048530.exe Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0048547.exe Infected: Backdoor.Win32.Delf.abc skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0048548.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0048550.exe Infected: Trojan-Dropper.Win32.VB.mz skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0048552.exe Infected: Trojan-Downloader.Win32.PurityScan.bj skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0048553.dll Infected: not-a-virus:AdWare.Win32.NewDotNet.i skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0048554.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\A0048555.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\snapshot\MFEX-1.DAT Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP228\snapshot\MFEX-8.DAT Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048559.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048560.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048561.exe Infected: Trojan-Downloader.Win32.Adload.bo skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048562.EXE Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048563.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048564.exe Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048567.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048568.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048569.dll Infected: not-a-virus:AdWare.Win32.404Search.l skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048570.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048571.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048573.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048574.exe Infected: Trojan-Dropper.Win32.Small.qn skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048575.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048576.exe Infected: Trojan-Downloader.Win32.Adload.bq skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048577.exe Infected: Trojan-Downloader.Win32.Adload.bq skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048578.exe Infected: Trojan-Downloader.Win32.Adload.bq skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048579.exe Infected: not-a-virus:AdWare.Win32.AdURL.c skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048580.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048581.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048582.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048583.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048584.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048585.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048586.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048587.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048588.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048589.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048590.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048591.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048592.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048593.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048594.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048595.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048596.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048597.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048598.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048599.exe Infected: Trojan-Downloader.Win32.Qoologic.c skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048600.exe Infected: Trojan-Dropper.Win32.Agent.aie skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048601.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048601.exe/data.rar/whSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048601.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048601.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048601.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048601.exe RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048602.exe Infected: Trojan-Clicker.Win32.VB.ij skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048603.exe Infected: Trojan-Downloader.Win32.PurityScan.cl skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048605.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048606.dll Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048607.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{753CACA9-8A58-4A6A-80A5-46AF07772B02}\RP229\A0048608.dll Infected: Trojan-Downloader.Win32.Agent.agw skipped
C:\Trelew.exe/data0006 Infected: Trojan-Dropper.Win32.VB.mz skipped
C:\Trelew.exe NSIS: infected - 1 skipped
C:\VSL02.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\VSL02.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\VSL02.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\pwmds.dat Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\WINDOWS\system32\VSL03.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\WINDOWS\system32\VSL03.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\WINDOWS\system32\VSL03.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\VSL05.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\WINDOWS\system32\VSL05.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\WINDOWS\system32\VSL05.exe NSIS: infected - 2 skipped

Scan process completed.







And finally ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:29:00 PM, 5/30/2006
+ Report-Checksum: B168654F

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{59879FA4-4790-461c-A1CC-4EC4DE4CA483} -> Adware.RXToolbar : Cleaned with backup
HKLM\SOFTWARE\Classes\WhIeHelperObj.WhIeHelperObj -> Adware.WebHancer : Cleaned with backup
HKLM\SOFTWARE\Classes\WhIeHelperObj.WhIeHelperObj\CurVer -> Adware.WebHancer : Cleaned with backup
HKLM\SOFTWARE\Classes\WhIeHelperObj.WhIeHelperObj.1 -> Adware.WebHancer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent -> Adware.WebHancer : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\webhancer -> Adware.WebHancer : Cleaned with backup
HKLM\SOFTWARE\webhancer\CC -> Adware.WebHancer : Cleaned with backup
HKLM\SOFTWARE\webhancer\ESO -> Adware.WebHancer : Cleaned with backup
HKU\S-1-5-21-1229272821-776561741-725345543-1004\Software\Kazaa\Promotions\Cydoor -> Adware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1229272821-776561741-725345543-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329 -> Adware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1229272821-776561741-725345543-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4 -> Adware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1229272821-776561741-725345543-1004\Software\RX Toolbar -> Adware.RXToolbar : Cleaned with backup
HKU\S-1-5-21-1229272821-776561741-725345543-1004\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-1229272821-776561741-725345543-1004\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
[1648] C:\Program Files\webHancer\programs\whiehlpr.dll -> Adware.WebHancer : Cleaned with backup
[1876] C:\WINDOWS\System32\qgxaxqf.dll -> Downloader.Qoologic.bj : Cleaned with backup
[1908] C:\WINDOWS\System32\qgxaxqf.dll -> Downloader.Qoologic.bj : Error during cleaning
[1936] C:\WINDOWS\System32\qgxaxqf.dll -> Downloader.Qoologic.bj : Error during cleaning
[1964] C:\WINDOWS\System32\qgxaxqf.dll -> Downloader.Qoologic.bj : Error during cleaning
[1996] C:\WINDOWS\System32\qgxaxqf.dll -> Downloader.Qoologic.bj : Error during cleaning
[2028] C:\WINDOWS\System32\qgxaxqf.dll -> Downloader.Qoologic.bj : Error during cleaning
[120] C:\WINDOWS\System32\qgxaxqf.dll -> Downloader.Qoologic.bj : Error during cleaning
[132] C:\WINDOWS\System32\qgxaxqf.dll -> Downloader.Qoologic.bj : Error during cleaning
[152] C:\WINDOWS\System32\qgxaxqf.dll -> Downloader.Qoologic.bj : Error during cleaning
[172] C:\Program Files\webHancer\Programs\whagent.exe -> Adware.WebHancer : Cleaned with backup<

#4 perro406

perro406
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 30 May 2006 - 08:18 PM

I guess I exceeded the character limit there. Here is the ewido report in its entirety.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:29:00 PM, 5/30/2006
+ Report-Checksum: B168654F

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{59879FA4-4790-461c-A1CC-4EC4DE4CA483} -> Adware.RXToolbar : Cleaned with backup
HKLM\SOFTWARE\Classes\WhIeHelperObj.WhIeHelperObj -> Adware.WebHancer : Cleaned with backup
HKLM\SOFTWARE\Classes\WhIeHelperObj.WhIeHelperObj\CurVer -> Adware.WebHancer : Cleaned with backup
HKLM\SOFTWARE\Classes\WhIeHelperObj.WhIeHelperObj.1 -> Adware.WebHancer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent -> Adware.WebHancer : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\webhancer -> Adware.WebHancer : Cleaned with backup
HKLM\SOFTWARE\webhancer\CC -> Adware.WebHancer : Cleaned with backup
HKLM\SOFTWARE\webhancer\ESO -> Adware.WebHancer : Cleaned with backup
HKU\S-1-5-21-1229272821-776561741-725345543-1004\Software\Kazaa\Promotions\Cydoor -> Adware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1229272821-776561741-725345543-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329 -> Adware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1229272821-776561741-725345543-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4 -> Adware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1229272821-776561741-725345543-1004\Software\RX Toolbar -> Adware.RXToolbar : Cleaned with backup
HKU\S-1-5-21-1229272821-776561741-725345543-1004\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-1229272821-776561741-725345543-1004\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
[1648] C:\Program Files\webHancer\programs\whiehlpr.dll -> Adware.WebHancer : Cleaned with backup
[1876] C:\WINDOWS\System32\qgxaxqf.dll -> Downloader.Qoologic.bj : Cleaned with backup
[1908] C:\WINDOWS\System32\qgxaxqf.dll -> Downloader.Qoologic.bj : Error during cleaning
[1936] C:\WINDOWS\System32\qgxaxqf.dll -> Downloader.Qoologic.bj : Error during cleaning
[1964] C:\WINDOWS\System32\qgxaxqf.dll -> Downloader.Qoologic.bj : Error during cleaning
[1996] C:\WINDOWS\System32\qgxaxqf.dll -> Downloader.Qoologic.bj : Error during cleaning
[2028] C:\WINDOWS\System32\qgxaxqf.dll -> Downloader.Qoologic.bj : Error during cleaning
[120] C:\WINDOWS\System32\qgxaxqf.dll -> Downloader.Qoologic.bj : Error during cleaning
[132] C:\WINDOWS\System32\qgxaxqf.dll -> Downloader.Qoologic.bj : Error during cleaning
[152] C:\WINDOWS\System32\qgxaxqf.dll -> Downloader.Qoologic.bj : Error during cleaning
[172] C:\Program Files\webHancer\Programs\whagent.exe -> Adware.WebHancer : Cleaned with backup
[204] C:\WINDOWS\System32\qgxaxqf.dll -> Downloader.Qoologic.bj : Error during cleaning
[212] C:\WINDOWS\System32\qgxaxqf.dll -> Downloader.Qoologic.bj : Error during cleaning
[376] C:\WINDOWS\System32\qgxaxqf.dll -> Downloader.Qoologic.bj : Error during cleaning
[416] C:\Program Files\webHancer\Programs\webhdll.dll -> Adware.WebHancer : Cleaned with backup
[3104] C:\Program Files\webHancer\Programs\webhdll.dll -> Adware.WebHancer : Error during cleaning
C:\comscore.exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\Collin Weber\Cookies\collin weber@a.tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Collin Weber\Cookies\collin weber@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Collin Weber\Cookies\collin weber@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Collin Weber\Cookies\collin weber@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Collin Weber\Cookies\collin weber@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Collin Weber\Cookies\collin weber@e-2dj6wfkigpdpcgo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Collin Weber\Cookies\collin weber@e-2dj6wfkyknczedo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Collin Weber\Cookies\collin weber@e-2dj6wfkywpdjwcp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Collin Weber\Cookies\collin weber@e-2dj6wfl4smajohq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Collin Weber\Cookies\collin weber@e-2dj6wflialczkgq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Collin Weber\Cookies\collin weber@e-2dj6wfliepd5gfo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Collin Weber\Cookies\collin weber@e-2dj6wfloojc5cep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Collin Weber\Cookies\collin weber@e-2dj6wfmialajmlo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Collin Weber\Cookies\collin weber@e-2dj6wjk4socjiap.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Collin Weber\Cookies\collin weber@e-2dj6wjl4enczcbo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Collin Weber\Cookies\collin weber@e-2dj6wjloghazagq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Collin Weber\Cookies\collin weber@e-2dj6wjlogkdjoao.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Collin Weber\Cookies\collin weber@e-2dj6wjmicjdjocp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Collin Weber\Cookies\collin weber@e-2dj6wjmyood5ccp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Collin Weber\Cookies\collin weber@e-2dj6wjnyamczeap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Collin Weber\Cookies\collin weber@e-2dj6wjnyoidjklp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Collin Weber\Cookies\collin weber@e-2dj6wjnyqodpifp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Collin Weber\Cookies\collin weber@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned with backup
C:\Documents and Settings\Collin Weber\Cookies\collin weber@polo.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Collin Weber\Cookies\collin weber@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Collin Weber\Cookies\collin weber@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Tracking101 : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Top-banners : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Adtrak : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.122:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Adtrak : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Adtrak : Cleaned with backup
:mozilla.149:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.152:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.154:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.155:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.156:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.157:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.158:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.159:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.160:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.165:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.166:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.167:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.168:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.170:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.174:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Searchingbooth : Cleaned with backup
:mozilla.175:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Searchingbooth : Cleaned with backup
:mozilla.176:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Searchingbooth : Cleaned with backup
:mozilla.178:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.179:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.184:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Searchingbooth : Cleaned with backup
:mozilla.185:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.187:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.189:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.190:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.191:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.209:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Enhance : Cleaned with backup
:mozilla.210:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.211:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.213:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.214:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.232:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.233:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.267:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.268:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.269:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Bfast : Cleaned with backup
:mozilla.272:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.273:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.274:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.275:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.276:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.286:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.287:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.288:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.289:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.290:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.291:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.292:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.293:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.299:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.300:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup
:mozilla.301:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup
:mozilla.302:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
:mozilla.303:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.304:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.323:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.324:C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Application Data\Mozilla\Firefox\Profiles\kfmreh7c.default\cookies.txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@a.as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@ad.doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@anat.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@as1.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@bfast[2].txt -> TrackingCookie.Bfast : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@c5.zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@cityclub.gamingpromo[2].txt -> TrackingCookie.Gamingpromo : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@clickbank[2].txt -> TrackingCookie.Clickbank : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@data2.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@dowjones.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@e-2dj6whkyegc5abq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@ehg-411web.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@ehg-nestleusainc.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@ehg-tmgolf.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@ehg-traderpublishing.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@ehg-vonage.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@gamingpromo[1].txt -> TrackingCookie.Gamingpromo : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@h.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@media.fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@reduxads.valuead[1].txt -> TrackingCookie.Valuead : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@targetnet[1].txt -> TrackingCookie.Targetnet : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@try.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@www.adtrak[1].txt -> TrackingCookie.Adtrak : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@yadro[2].txt -> TrackingCookie.Yadro : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\Collin Weber.COLLIN-7G94D31P\Cookies\collin weber@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.6:C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Mozilla\Firefox\Profiles\v03zzu7a.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup
:mozilla.7:C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Mozilla\Firefox\Profiles\v03zzu7a.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup
C:\drma.exe -> Downloader.Adload.bo : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\numbsoft.exe -> Dropper.Agent.hl : Cleaned with backup
C:\Program Files\AIM95\aimax.exe -> Adware.Agent : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup
C:\Program Files\Common Files\kwzr\kwzrd\kwzrc.dll -> Adware.TargetServer : Cleaned with backup
C:\Program Files\Common Files\kwzr\kwzrp.exe -> Downloader.TSUpdate.f : Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20060530-182144-435.dll -> Adware.WebHancer : Cleaned with backup
C:\Program Files\INSTAFINK -> Adware.404Search : Cleaned with backup
C:\Program Files\INSTAFINK\instafink.dll -> Adware.404Search : Cleaned with backup
C:\Program Files\webHancer\Programs\webhdll.dll -> Adware.WebHancer : Cleaned with backup
C:\Program Files\webHancer\Programs\whagent.exe -> Adware.WebHancer : Cleaned with backup
C:\Program Files\webHancer\Programs\whiehlpr.dll -> Adware.WebHancer : Cleaned with backup
C:\Program Files\webHancer\Programs\whinstaller.exe -> Adware.WebHancer : Cleaned with backup
C:\Program Files\webHancer\Programs\whsurvey.exe -> Adware.WebHancer : Cleaned with backup
C:\Program Files\whInstall -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\license.txt -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\readme.txt -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\whAgent.ini -> Adware.Webhancer : Cleaned with backup
C:\Program Files\Windows Media Player\mezon.dll -> Downloader.Small.ctp : Cleaned with backup
C:\SS1001.exe -> Dropper.Small.qn : Cleaned with backup
C:\webnexmk.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\drsmartload45a.exe -> Downloader.Adload.bq : Cleaned with backup
C:\WINDOWS\drsmartload46a.exe -> Downloader.Adload.bq : Cleaned with backup
C:\WINDOWS\drsmartload849a.exe -> Downloader.Adload.bq : Cleaned with backup
C:\WINDOWS\icont.exe -> Adware.AdURL : Cleaned with backup
C:\WINDOWS\installerwnus.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\WINDOWS\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\Q29sbGluIFdlYmVy\asappsrv.dll -> Adware.CommAd : Cleaned with backup
C:\WINDOWS\Q29sbGluIFdlYmVy\command.exe -> Adware.CommAd : Cleaned with backup
C:\WINDOWS\system32\dmonwv.dll -> Downloader.Agent.agw : Cleaned with backup
C:\WINDOWS\system32\dn0s01d7e.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\fpj6031se.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\j4j60e1seh.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\k662lgjo16oc.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\lv8409lqe.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\m6rmlg9116.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mv40l9hm1.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\o4ns0e57eh.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\pvp.dll -> Adware.PurityScan : Cleaned with backup
C:\WINDOWS\system32\pwmds.dat -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINDOWS\system32\q6680gjue6o80.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\rk.bin -> Adware.RK : Cleaned with backup
C:\WINDOWS\system32\s288lclu1fq8.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\w133291e.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\wjnbrand.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\unwn.exe -> Trojan.Qoologic : Cleaned with backup
C:\WINDOWS\visfx500.exe -> Dropper.Agent.aie : Cleaned with backup
C:\WINDOWS\WHCC2.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup
C:\WINDOWS\xhfvymg.exe -> Hijacker.VB.ij : Cleaned with backup
C:\WINDOWS\Αdobe\csrss.exe -> Downloader.PurityScan.cl : Cleaned with backup


::Report End






Thanks again for any help you can give me, I'd rather not have to reformat this thing. :thumbsup:

#5 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 30 May 2006 - 09:24 PM

Second, ComboFix. All this did on my computer was open a window that looked vaguely DOS-esque with a blue background and flashing yellow cursor. Nothing else. No prompts, no text, nothing. No keystrokes seemed to stimulate it to action at all.


Lol ..that seems to be a bug with Combofix which I have yet to fix. It stalls whenever someone mouseclicks on the blue screen during the iitial stage. Please give combofix another whirl. If it stalls again, click the bluescreen & hit 'Enter' on your keyboard. It should present you with the introductory screen & proceed to scan your computer. If it finds anything, it will automatically reboot the machine to complete the removal process & a log shall be produced after the reboot. All in, the whole process shouldn't take more than a few minutes.


* * * * * * *


After you have ran combofix, please do a scanwith Hijackthis & have these entries fixed ( if Combofix ran properly, some entries would be missing):


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\aioeh.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,levirnt.exe
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll (file missing)
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)



* * * * * * * * *


Uninstall this program if present :- Webhancer


Delete the following files/folders (if any resist deletion, do it from Safe Mode):

C:\Trelew.exe
C:\VSL02.exe
C:\WINDOWS\system32\pwmds.dat
C:\WINDOWS\system32\VSL03.exe
C:\WINDOWS\system32\VSL05.exe
C:\Program Files\webHancer


Delete the contents of this folder, leaving it empty:

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\


* * * * * * * * *


Finish up by clearing System Restore's cache by doing so . . .
Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
  • Tick on the checkbox - Turn off System Restore on all drives
  • Click Apply
Turn it back 'On' by unticking the same checkbox & click OK


* * * * * * * * *


In your next reply, please furnish the following logs:

1. Fresh HJT log
2. Combofix's log (hopefully)


Let me know how that went

#6 perro406

perro406
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 31 May 2006 - 06:28 PM

First, thanks for the advice again!

The bad news is that the combofix program still wouldn't work on my system :thumbsup: . It's probably an issue with my computer, not with your program.

That said, it seems as though the HJT fixes and deleting those files did something. Still getting popups though, not as many it seems. Not completely fixed just yet. Although, that said, i cant discern what would be popups due to spyware, etc versus what are just regular internet popup crap. I dont think the system is clean quite yet. Ad-Aware is still turning up stuff. It seems as though whatever I have is somehow fixing itself, because its just not going away. Anyhow, here is the HJT log (still getting that weird HJT error btw).

Logfile of HijackThis v1.99.1
Scan saved at 7:26:09 PM, on 5/31/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Winamp\winamp.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\aioeh.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,levirnt.exe
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe





Seems like we are making some progress. Thanks a ton!!

#7 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 31 May 2006 - 06:40 PM

Hmm.. I must improve on my tool making skills. :thumbsup:

Let's use an alternative from Lonny Jones, who has vastly superior skills.

Download Brute Force Uninstaller to your C:\

http://www.merijn.org/files/bfu.zip

Unzip it to a folder of its own (C:\BFU). So BFU should be on your root. In most cases this is C:\

Download qoofix.bat: http://downloads.subratam.org/Lon/qooFix.bat
(rightclick on this link and choose save as)

Place qoofix.bat in your C:\BFU - folder. (Important!)
Doubleclick qooFix.bat, Close all browsers and explorer folders.
Choose option 1 (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
After the PC has restarted please post another hijackthis log.

#8 perro406

perro406
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 31 May 2006 - 07:45 PM

Hey thanks a bunch for sticking with this and for the fast responses.

Followed the steps, restarted. Everything went smoothly. Still getting some popups but it seems as though the system has a bit more stability. Still not quite back to normal. Here is the new HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 8:40:58 PM, on 5/31/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\aioeh.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe,levirnt.exe
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#9 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 31 May 2006 - 07:49 PM

Try fixing these 2 entries. Then do a re-scan to see if they return

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\aioeh.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe,levirnt.exe


If they do not return, please do another Kaspersk online scan.

#10 perro406

perro406
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 31 May 2006 - 08:41 PM

When I fix these and then re scan immediately, they still appear. Whatever these are, they aren't going away.

#11 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 31 May 2006 - 08:48 PM

Just as I thought. Lonny's tool failed too. It's a rootkit infection. Dont worry though. I have long sleeves with many tricks within. :thumbsup:

Do this now. It shall only take a few minutes.

Download and run Blacklight

Note that you must have local administrative privileges to run the program.

Click Scan. BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this

When it finishes, click Next. You may get a screen similar to the picture below. Click on Close

BlackLight beta would create a log file "fsbl-<date-and-time>.log". By default, the log file is in the same directory as the executable. Please post the log

Posted Image

Edited by sUBs, 31 May 2006 - 08:48 PM.


#12 perro406

perro406
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 31 May 2006 - 09:26 PM

I have such bad luck. I can't get BlackLight to work at all. Says it can't get the SeDebugPrivilege. I am the only user on this computer, so my account is admin. I also tried this as admin in safe mode with the same error as the result. Sorry this isn't going so well......

#13 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 31 May 2006 - 09:33 PM

Let's try this other tool first. Remind me about the SeDebug later on.
** sUBs reaches up his sleeves for yet another rabbit :thumbsup:

This is an older version of a component from the combofix tool. It was meant to be a standalone tool before I rolled everything into combofix.

Download the attachment & extract the file within onto Desktop
Double click on it & allow it to run.
When it finishes, it may automatically logoff/reboot your machine.
If it doesn't, please reboot manually
After the reboot, you shall be presented with a log of it's actions. [attachment=848:attachment]

Edited by sUBs, 31 May 2006 - 09:34 PM.


#14 perro406

perro406
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 01 June 2006 - 09:12 PM

Sorry for the slow response. Busy day today!

I downloaded your tool and ran it. Here is a transcript of the log:


1 File<s> copied

Locate > del C:\WINDOWS\SYSTEM32\KYXAHI~1.VIR

Locate > attrib h r s a C:\WINDOWS\SYSTEM32\LEVIRN~1.VIR

Locate > copy C:\WINDOWS\SYSTEM32\LEVIRN~1.VIR C:\QooBox
1 file<s> copied

Locate > del C:\WINDOWS\SYSTEM32\PWMDSD~1.VIR

Locate > attrib h r s a C:\WINDOWS\SYSTEM32\PWMDSD~1.VIR

Locate > copy C:\WINDOWS\SYSTEM32\PWMDSD~1.VIR C:\QooBox
1 file<s> copied

Locate > del C:\WINDOWS\SYSTEM32\PWMDSD~1.VIR

Locate > attrib h r s a C:\WINDOWS\SYSTEM32\QGXAXQ~1.VIR

Locate > copy C:\WINDOWS\SYSTEM32\QGXAXQ~1.VIR C:\QooBox
1 file<s> copied

Locate > del C:\WINDOWS\SYSTEM32\QGXAXQ~1.VIR



No noticeable change in system behavior.

Thanks again!!

#15 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 01 June 2006 - 09:26 PM

Where did you get those from? Is it from the Dos screen?
The log should be located at C:\Q-LOG.txt.
If it's not there, look for C:\sUBs.bat & double click it.

Here's a sample of what the log looks like

FIND FILES
2006-06-02 10:21:42.15
A copy of this report is located at C:\Q-LOG.txt

= = = = = Filepaths from the Registry = = = = =

C:\WINDOWS\system32\crewft.exe filesize 127488
C:\WINDOWS\system32\crewft.exe filesize 127488
C:\WINDOWS\system32\sbvbf.exe filesize 28672
dwcfpyj.exe
C:\WINDOWS\system32\dmonwv.dll filesize 32256
Qoo variant found - 127488

= = = = = = Filepaths from Locate = = = = = =

C:\WINDOWS\SYSTEM32\DWCFPYJ.EXE 2006-06-02 10:20:46 23,552 (A....)
C:\WINDOWS\SYSTEM32\CREWFT.EXE 2006-06-02 10:20:46 127,488 (A....)
C:\WINDOWS\SYSTEM32\SBVBF.EXE 2006-06-02 10:20:46 28,672 (A....)
C:\WINDOWS\SYSTEM32\IYEWVCT.DLL 2006-06-02 10:20:46 51,712 (A....)
C:\WINDOWS\SYSTEM32\DMONWV.DLL 2006-06-02 10:21:26 32,256 (A....)
C:\WINDOWS\SYSTEM32\HPTAQ.DAT 2006-06-02 10:20:46 127,488 (A....)
C:\WINDOWS\ANLEV.DLL 2006-06-02 10:20:46 24 (A....)
C:\WINDOWS\EPLPNQ.DAT 2006-06-02 10:21:26 53 (A....)
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\TAQXL.EXE 2006-06-02 10:19:52 127,488 (A....)

= = = = = = Quarantine folder = = = = = = = =

Volume in drive C has no label.
Volume Serial Number is 385A-3B86

Directory of C:\QooBox

2006-06-02 10:22 AM <DIR> .
2006-06-02 10:22 AM <DIR> ..
2006-06-02 10:19 AM 34 ANLEVD~1.VIR
2006-06-02 10:19 AM 127,488 CREWFT~1.VIR
2006-06-02 10:19 AM 32,256 DMONWV~1.VIR
2006-06-02 10:19 AM 23,552 DWCFPY~1.VIR
2006-06-02 10:19 AM 53 EPLPNQ~1.VIR
2006-06-02 10:19 AM 127,488 HPTAQD~1.VIR
2006-06-02 10:19 AM 51,712 IYEWVC~1.VIR
2006-06-02 10:19 AM 28,672 SBVBFE~1.VIR
2006-06-02 10:19 AM 127,488 TAQXLE~1.VIR
9 File(s) 518,743 bytes
2 Dir(s) 2,114,445,312 bytes free

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO

= = = = = = Post-run from Locate = = = = = =


2006-06-02 10:22:06.89






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users