Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Warning: Windows Firewall Detected...


  • This topic is locked This topic is locked
10 replies to this topic

#1 serob

serob

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 10 July 2006 - 09:31 PM

Hi,

I have been infected with a malware/spyware which installed an annoying windows pup-up that displays the following message:

"WARNING: Windows Firewall detected suspicious network activity on your computer. Malicious software codes try to steal your privacy information, such as credit card numbers, electronic mail accounts, financial data or passwords. Do you want to download certificated software and protect your computer?"

A bunch of porn links have been added to my favorites list. :thumbsup:

I really thank anyone who can give me a hand!!!!! :flowers:

HJT log:

=================================================

Logfile of HijackThis v1.99.1
Scan saved at 10:17:34 PM, on 7/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\java\KI\secsys.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Pepi\Desktop\LIMPIARSPY\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:3128
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [TradeManager] C:\PROGRA~1\Alibaba\TRADEM~1\TradeManager -hideframe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [eMule Acceleration Patch] C:\Documents and Settings\All Users\Start Menu\Programs\eMule Acceleration Patch\eMule Acceleration Patch.lnk
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.redfunny.com
O15 - Trusted Zone: www.skymasters.biz
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cab
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (CEditCtrl Object) - https://img.alipay.com/download/1007/aliedit.cab
O16 - DPF: {7A7BA269-2D21-4B33-B60A-8510A1865D5F} (IWS Photo Upload Tool) - http://public1.uploader.officelive.com/_la...eX/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://212.98.46.120/activex/AxisCamControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D4D6204-A5F8-46D4-AE8E-DFE917F17366}: NameServer = 85.255.115.68,85.255.112.118
O17 - HKLM\System\CCS\Services\Tcpip\..\{719A0974-8A5D-4E72-8055-BD4A030BAE7E}: NameServer = 85.255.115.68,85.255.112.118
O17 - HKLM\System\CCS\Services\Tcpip\..\{76E29002-92E5-4218-A7D6-CCECC6D984A5}: NameServer = 85.255.115.68,85.255.112.118
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.68 85.255.112.118
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D4D6204-A5F8-46D4-AE8E-DFE917F17366}: NameServer = 85.255.115.68,85.255.112.118
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.68 85.255.112.118
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Local Security (secsys) - Unknown owner - C:\WINDOWS\java\KI\secsys.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

=================================================

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:36 PM

Posted 16 July 2006 - 07:12 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijackthis log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 serob

serob
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 16 July 2006 - 01:27 PM

Thank you Buckeye_Sam,

Here is the new HJT log, I appreciate all your help. :thumbsup:

=================================================
Logfile of HijackThis v1.99.1
Scan saved at 2:25:20 PM, on 7/16/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ANYCOM\Blue USB-200-250\bin\btwdins.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\java\KI\secsys.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\ANYCOM\Blue USB-200-250\BTTray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\ANYCOM\BLUEUS~1\BTSTAC~1.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Pepi\Desktop\LIMPIARSPY\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:3128
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [eMule Acceleration Patch] C:\Documents and Settings\All Users\Start Menu\Programs\eMule Acceleration Patch\eMule Acceleration Patch.lnk
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\ANYCOM\Blue USB-200-250\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ANYCOM\Blue USB-200-250\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ANYCOM\Blue USB-200-250\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.redfunny.com
O15 - Trusted Zone: www.skymasters.biz
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cab
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (CEditCtrl Object) - https://img.alipay.com/download/1007/aliedit.cab
O16 - DPF: {7A7BA269-2D21-4B33-B60A-8510A1865D5F} (IWS Photo Upload Tool) - http://public1.uploader.officelive.com/_la...eX/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://212.98.46.120/activex/AxisCamControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D4D6204-A5F8-46D4-AE8E-DFE917F17366}: NameServer = 85.255.115.68,85.255.112.118
O17 - HKLM\System\CCS\Services\Tcpip\..\{719A0974-8A5D-4E72-8055-BD4A030BAE7E}: NameServer = 85.255.115.68,85.255.112.118
O17 - HKLM\System\CCS\Services\Tcpip\..\{76E29002-92E5-4218-A7D6-CCECC6D984A5}: NameServer = 85.255.115.68,85.255.112.118
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.68 85.255.112.118
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D4D6204-A5F8-46D4-AE8E-DFE917F17366}: NameServer = 85.255.115.68,85.255.112.118
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.68 85.255.112.118
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D4D6204-A5F8-46D4-AE8E-DFE917F17366}: NameServer = 85.255.115.68,85.255.112.118
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.68 85.255.112.118
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ANYCOM\Blue USB-200-250\bin\btwdins.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Local Security (secsys) - Unknown owner - C:\WINDOWS\java\KI\secsys.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

=================================================

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:36 PM

Posted 16 July 2006 - 05:52 PM

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log into this topic.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 serob

serob
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 16 July 2006 - 10:47 PM

Here it is:

====================================

Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EA9EA60610A1-4248-C054-2381-665A29AB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EDF61D6BEFE6-BEEA-B074-6157-A068E5D1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5983D9224069-1A1B-18B4-B1AC-E83FBCC6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}25B23765C824-8358-21C4-1ED9-F53E4A95{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1B852F1B202E-6A29-A304-95AD-3AC35CE4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}943C865D3918-8969-AF54-CDEB-2DCAC513{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\yoamd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\owt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmaoy.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

Search by size and names...

Misc files

Checking for older varients covered by the Rem3 tool


Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\DMAOY.EXE 44,131 2003-05-11
Other suspects
Directory of C:\WINDOWS\system32
{315CACD2-BEDC-45FA-9698-8193D568C349}.exe
{59A4E35F-9DE1-4C12-8538-428C56732B52}.exe
{6CCBF38E-CA1B-4B81-B1A1-9604229D3895}.exe

====================================
HJT:

Logfile of HijackThis v1.99.1
Scan saved at 11:45:31 PM, on 7/16/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ANYCOM\Blue USB-200-250\bin\btwdins.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\java\KI\secsys.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ANYCOM\Blue USB-200-250\BTTray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Pepi\Desktop\LIMPIARSPY\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:3128
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [eMule Acceleration Patch] C:\Documents and Settings\All Users\Start Menu\Programs\eMule Acceleration Patch\eMule Acceleration Patch.lnk
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\ANYCOM\Blue USB-200-250\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ANYCOM\Blue USB-200-250\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ANYCOM\Blue USB-200-250\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.redfunny.com
O15 - Trusted Zone: www.skymasters.biz
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cab
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (CEditCtrl Object) - https://img.alipay.com/download/1007/aliedit.cab
O16 - DPF: {7A7BA269-2D21-4B33-B60A-8510A1865D5F} (IWS Photo Upload Tool) - http://public1.uploader.officelive.com/_la...eX/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://212.98.46.120/activex/AxisCamControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D4D6204-A5F8-46D4-AE8E-DFE917F17366}: NameServer = 85.255.115.68,85.255.112.118
O17 - HKLM\System\CCS\Services\Tcpip\..\{719A0974-8A5D-4E72-8055-BD4A030BAE7E}: NameServer = 85.255.115.68,85.255.112.118
O17 - HKLM\System\CCS\Services\Tcpip\..\{76E29002-92E5-4218-A7D6-CCECC6D984A5}: NameServer = 85.255.115.68,85.255.112.118
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.68 85.255.112.118
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D4D6204-A5F8-46D4-AE8E-DFE917F17366}: NameServer = 85.255.115.68,85.255.112.118
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.68 85.255.112.118
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D4D6204-A5F8-46D4-AE8E-DFE917F17366}: NameServer = 85.255.115.68,85.255.112.118
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.68 85.255.112.118
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ANYCOM\Blue USB-200-250\bin\btwdins.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Local Security (secsys) - Unknown owner - C:\WINDOWS\java\KI\secsys.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


====================================

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:36 PM

Posted 17 July 2006 - 05:31 PM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.redfunny.com
O15 - Trusted Zone: www.skymasters.biz
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D4D6204-A5F8-46D4-AE8E-DFE917F17366}: NameServer = 85.255.115.68,85.255.112.118
O17 - HKLM\System\CCS\Services\Tcpip\..\{719A0974-8A5D-4E72-8055-BD4A030BAE7E}: NameServer = 85.255.115.68,85.255.112.118
O17 - HKLM\System\CCS\Services\Tcpip\..\{76E29002-92E5-4218-A7D6-CCECC6D984A5}: NameServer = 85.255.115.68,85.255.112.118
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.68 85.255.112.118
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D4D6204-A5F8-46D4-AE8E-DFE917F17366}: NameServer = 85.255.115.68,85.255.112.118
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.68 85.255.112.118
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D4D6204-A5F8-46D4-AE8E-DFE917F17366}: NameServer = 85.255.115.68,85.255.112.118
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.68 85.255.112.118



=============


Now lets check some settings on your system.
  • Enter your Control Panel and double-click on Network Connections
  • Then right click on your Default Connection
    • Usually Local Area Connection for Cable and DSL
  • Left click on Properties
  • Double-Click on the Internet Protocol (TCP/IP) item
  • Select the radio dial that says Obtain DNS Servers Automatically
  • Press OK twice to get out of the properties screen and reboot if it asks
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)



Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\winstall.exe
    C:\WINDOWS\SYSTEM32\DMAOY.EXE
    C:\WINDOWS\system32\{315CACD2-BEDC-45FA-9698-8193D568C349}.exe
    C:\WINDOWS\system32\{59A4E35F-9DE1-4C12-8538-428C56732B52}.exe
    C:\WINDOWS\system32\{6CCBF38E-CA1B-4B81-B1A1-9604229D3895}.exe



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.
=============



Download SmitfraudFix (by S!Ri) to your Desktop.
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

______________________________


Please download Ewido Anti-spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware.

______________________________


Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log.



Also post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 serob

serob
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 22 July 2006 - 11:18 PM

Thanks, here are the logs, in the requested order:

KILLBOX LOG:
===============================================================

Pocket Killbox version 2.0.0.648
Running on Windows XP as Pepi(Administrator)
was started @ Saturday, July 22, 2006, 11:44 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\DMAOY.EXE


# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\{315CACD2-BEDC-45FA-9698-8193D568C349}.exe


# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\{59A4E35F-9DE1-4C12-8538-428C56732B52}.exe


# 4 [Delete on Reboot]
Path = C:\WINDOWS\system32\{6CCBF38E-CA1B-4B81-B1A1-9604229D3895}.exe


I Rebooted @ 11:46:31 PM
# 5 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\DMAOY.EXE


# 6 [Delete on Reboot]
Path = C:\WINDOWS\system32\{315CACD2-BEDC-45FA-9698-8193D568C349}.exe


# 7 [Delete on Reboot]
Path = C:\WINDOWS\system32\{59A4E35F-9DE1-4C12-8538-428C56732B52}.exe


# 8 [Delete on Reboot]
Path = C:\WINDOWS\system32\{6CCBF38E-CA1B-4B81-B1A1-9604229D3895}.exe


I Rebooted @ 11:47:28 PM
Killbox Closed(Exit) @ 11:47:29 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Pepi(Administrator)
was started @ Saturday, July 22, 2006, 11:56 PM

===============================================================

SMIT FRAUDFIX

SmitFraudFix v2.74

Scan done at 0:13:13.08, Sun 07/23/2006
Run from C:\Documents and Settings\Pepi\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\Pepi\Application Data

C:\Documents and Settings\Pepi\Application Data\Install.dat FOUND !

Start Menu


C:\DOCUME~1\Pepi\FAVORI~1


Desktop


C:\Program Files

C:\Program Files\Daily Weather Forecast\ FOUND !
C:\Program Files\SpySheriff\ FOUND !

Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Scanning wininet.dll infection


End

===============================================================

HJT


Logfile of HijackThis v1.99.1
Scan saved at 12:15:17 AM, on 7/23/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ANYCOM\Blue USB-200-250\bin\btwdins.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\java\KI\secsys.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ANYCOM\Blue USB-200-250\BTTray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Documents and Settings\Pepi\Desktop\LIMPIARSPY\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:

3128
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32

\msdxm.ocx
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD

Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5

\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.

exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather

.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus

Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang

1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia

Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /

WinStart
O4 - HKCU\..\Run: [eMule Acceleration Patch] C:\Documents and Settings\All Users\Start

Menu\Programs\eMule Acceleration Patch\eMule Acceleration Patch.lnk
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\PROGRA~1\MICROS~3

\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\ANYCOM\Blue USB-200

-250\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%

\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-

9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1

\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program

Files\ANYCOM\Blue USB-200-250\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} -

C:\Program Files\ANYCOM\Blue USB-200-250\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:

\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1

\NEOTRA~1\NTXtoolbar.htm (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://

supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (CEditCtrl Object) - https://img.alipay

.com/download/1007/aliedit.cab
O16 - DPF: {7A7BA269-2D21-4B33-B60A-8510A1865D5F} (IWS Photo Upload Tool) - http://

public1.uploader.officelive.com/_layouts/1033/wh/ActiveX/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http

://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://212.98.46

.120/activex/AxisCamControl.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1

\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1

\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program

Files\ANYCOM\Blue USB-200-250\bin\btwdins.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:

\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program

Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus

Personal\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system

32\LEXBCES.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner -

%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file

missing)
O23 - Service: Local Security (secsys) - Unknown owner - C:\WINDOWS\java\KI\secsys.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:36 PM

Posted 23 July 2006 - 01:02 PM

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Clean out your Temporary Internet files. Proceed like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections then choose clean and click Ok.

Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close Ewido and Reboot in Normal Mode.
______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
______________________________

Please post:
  • c:\rapport.txt
  • Ewido log
  • A new HijackThis log

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 serob

serob
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 30 July 2006 - 12:46 AM

Here it is:

RAPPORT
======================================================
SmitFraudFix v2.74

Scan done at 23:43:03.38, Sat 07/29/2006
Run from C:\Documents and Settings\Pepi\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\Documents and Settings\Pepi\Application Data\Install.dat Deleted
C:\Program Files\Daily Weather Forecast\ Deleted
C:\Program Files\SpySheriff\ Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

======================================================

EWIDO

======================================================
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:33:16 AM 7/30/2006

+ Scan result:



HKLM\SOFTWARE\Classes\CLSID\{B7AE5988-3688-C06D-F636-5509DAD63F01} -> Adware.CoolWebSearch : Cleaned.
C:\!KillBox\{6CCBF38E-CA1B-4B81-B1A1-9604229D3895}.exe -> Adware.FindSpy : Cleaned.
C:\!KillBox\{6CCBF38E-CA1B-4B81-B1A1-9604229D3895}.exe( 1) -> Adware.FindSpy : Cleaned.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Rotue -> Adware.InternetOptimizer : Cleaned.
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned.
C:\!KillBox\{59A4E35F-9DE1-4C12-8538-428C56732B52}.exe -> Adware.Msnagent : Cleaned.
C:\!KillBox\{59A4E35F-9DE1-4C12-8538-428C56732B52}.exe( 2) -> Adware.Msnagent : Cleaned.
HKU\S-1-5-21-3454908657-2827482083-3343515057-1005\Software\PowerScan -> Adware.PowerScan : Cleaned.
HKLM\SOFTWARE\Classes\CLSID\{daa873d4-958c-453c-81ca-3fe6f3676a87} -> Downloader.Fugif : Cleaned.
:mozilla.237:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.36:C:\Documents and Settings\Casa\Application Data\Mozilla\Firefox\Profiles\x8flsqcd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.393:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.421:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.472:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.55:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.56:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.57:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.58:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.59:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.60:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.61:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.62:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.63:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Casa\Cookies\casa@msnportal.112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.264:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.266:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.268:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.269:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.270:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.355:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.357:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.10:C:\Documents and Settings\Casa\Application Data\Mozilla\Firefox\Profiles\x8flsqcd.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.32:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.34:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.36:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.37:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.38:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.39:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.6:C:\Documents and Settings\Casa\Application Data\Mozilla\Firefox\Profiles\x8flsqcd.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.7:C:\Documents and Settings\Casa\Application Data\Mozilla\Firefox\Profiles\x8flsqcd.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.8:C:\Documents and Settings\Casa\Application Data\Mozilla\Firefox\Profiles\x8flsqcd.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.9:C:\Documents and Settings\Casa\Application Data\Mozilla\Firefox\Profiles\x8flsqcd.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.17:C:\Documents and Settings\Casa\Application Data\Mozilla\Firefox\Profiles\x8flsqcd.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.33:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.235:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Bfast : Cleaned.
:mozilla.236:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Bfast : Cleaned.
:mozilla.16:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.450:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.451:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.452:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.453:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.162:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.15:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.18:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.19:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Pepi\Cookies\pepi@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.78:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.79:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.80:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.81:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.82:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.83:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.84:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.75:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.17:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.257:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.422:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.192:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.193:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.194:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.196:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.198:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.208:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.209:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.210:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.211:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.212:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.23:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.24:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.25:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.26:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.27:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.28:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.29:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.30:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.31:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.492:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Findwhat : Cleaned.
:mozilla.366:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.113:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.114:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.115:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.188:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.424:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.471:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.359:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.361:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.363:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.364:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.440:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned.
:mozilla.299:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.300:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.490:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.514:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.77:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.11:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.121:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.33:C:\Documents and Settings\Casa\Application Data\Mozilla\Firefox\Profiles\x8flsqcd.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.372:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.373:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.374:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.375:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.122:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Pro-market : Cleaned.
:mozilla.123:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Pro-market : Cleaned.
:mozilla.124:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Pro-market : Cleaned.
:mozilla.18:C:\Documents and Settings\Casa\Application Data\Mozilla\Firefox\Profiles\x8flsqcd.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.19:C:\Documents and Settings\Casa\Application Data\Mozilla\Firefox\Profiles\x8flsqcd.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.20:C:\Documents and Settings\Casa\Application Data\Mozilla\Firefox\Profiles\x8flsqcd.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.51:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.52:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.53:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.54:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.253:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.254:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.255:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.256:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.242:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.243:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.244:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.245:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.275:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.276:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.441:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Spylog : Cleaned.
:mozilla.402:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Starware : Cleaned.
:mozilla.403:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Starware : Cleaned.
:mozilla.404:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Starware : Cleaned.
:mozilla.405:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Starware : Cleaned.
:mozilla.258:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.259:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.260:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.20:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.21:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.22:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.345:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.163:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.164:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.165:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.166:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.167:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.168:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.170:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.28:C:\Documents and Settings\Casa\Application Data\Mozilla\Firefox\Profiles\x8flsqcd.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.87:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.88:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.89:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.90:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.91:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.92:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.93:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.94:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.95:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.503:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Weborama : Cleaned.
:mozilla.32:C:\Documents and Settings\Casa\Application Data\Mozilla\Firefox\Profiles\x8flsqcd.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.352:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.353:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.439:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.125:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.126:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.127:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Casa\Cookies\casa@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.143:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.144:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.145:C:\Documents and Settings\Pepi\Application Data\Mozilla\Firefox\Profiles\5usievpj.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\Program Files\Ares Lite Edition\AresLite.exe -> Trojan.Small : Cleaned.


::Report end

======================================================

HJT

======================================================
Logfile of HijackThis v1.99.1
Scan saved at 1:42:17 AM, on 7/30/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\ANYCOM\Blue USB-200-250\bin\btwdins.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\java\KI\secsys.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ANYCOM\Blue USB-200-250\BTTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Pepi\Desktop\LIMPIARSPY\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.averatec.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:3128
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [eMule Acceleration Patch] C:\Documents and Settings\All Users\Start Menu\Programs\eMule Acceleration Patch\eMule Acceleration Patch.lnk
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\ANYCOM\Blue USB-200-250\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ANYCOM\Blue USB-200-250\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ANYCOM\Blue USB-200-250\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cab
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (CEditCtrl Object) - https://img.alipay.com/download/1007/aliedit.cab
O16 - DPF: {7A7BA269-2D21-4B33-B60A-8510A1865D5F} (IWS Photo Upload Tool) - http://public1.uploader.officelive.com/_la...eX/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://212.98.46.120/activex/AxisCamControl.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ANYCOM\Blue USB-200-250\bin\btwdins.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Local Security (secsys) - Unknown owner - C:\WINDOWS\java\KI\secsys.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

======================================================

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:36 PM

Posted 30 July 2006 - 07:02 AM

Your log looks pretty. But I do want to make you aware that you have a keylogger installed and running on this computer. Is this something you are aware of?

http://research.sunbelt-software.com/threa...p;threatid=7719


How is everything working on your end? Any problems?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:36 PM

Posted 16 August 2006 - 06:36 PM

This topic has been closed due to a lack of response. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users