Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help, I've Got Various Infections!


  • This topic is locked This topic is locked
23 replies to this topic

#1 Spa1982

Spa1982

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 13 July 2006 - 12:31 PM

Hi, can anyone help? I've got lots of annoying pop-ups, I had a Quake pop-up which I have tried to remove but also a w32.myzor.FK@jf and a "system alert: spyware detected" - I'm beggining to get very frustrated. Please, please help! Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 18:29:34, on 13/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\brsvc01a.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\brss01a.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\wltrysvc.exe
F:\WINDOWS\System32\bcmwltry.exe
F:\WINDOWS\system32\ishost.exe
F:\WINDOWS\system32\issearch.exe
F:\WINDOWS\system32\isnotify.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
F:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
F:\WINDOWS\system32\ismon.exe
F:\Program Files\ipwins\ipwins.exe
F:\Program Files\Common Files\{A4FECFBE-0353-2057-1206-00042100002c}\Update.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
F:\Program Files\Messenger\msmsgs.exe
F:\DOCUME~1\David\APPLIC~1\WNSXS~1\dvdplay.exe
F:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
F:\WINDOWS\system32\WgaTray.exe
F:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
F:\Program Files\TClock\TClock.exe
F:\WINDOWS\system32\wbem\wmiapsrv.exe
F:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
F:\WINDOWS\system32\??pPatch\m?iexec.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\DOCUME~1\David\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?lc=2057&id=2
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - F:\WINDOWS\system32\byxxvuv.dll
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - F:\WINDOWS\system32\ixt0.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "F:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "F:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] F:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [SpyQuake2.com] F:\Program Files\SpyQuake2.com\Spy-Quake2.exe /h
O4 - HKLM\..\Run: [IpWins] F:\Program Files\ipwins\ipwins.exe
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] F:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "F:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Eitp] "F:\DOCUME~1\David\APPLIC~1\WNSXS~1\dvdplay.exe" -vt yazb
O4 - HKCU\..\Run: [Edyo] F:\WINDOWS\system32\PPATCH~1\MIEXEC~1.EXE
O4 - HKCU\..\Run: [TClock.exe] F:\Program Files\TClock\tclock_install.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: F:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {00000000-0000-0000-0000-100005000004} - http://code.trasferimento.biz/l/81cfc845dd...faa82523_35.exe
O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} (CVideoEgg_ActiveXCtl Object) - http://update.videoegg.com/wintel/VideoEggPublisher.exe
O16 - DPF: {4102A823-AA30-07CD-2459-32F3630E7F2D} - http://85.255.113.214/1/gdnFR2339.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by7fd.bay7.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - AppInit_DLLs: F:\WINDOWS\system32\scanregw.dll
O20 - Winlogon Notify: byxxvuv - F:\WINDOWS\SYSTEM32\byxxvuv.dll
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winonm32 - F:\WINDOWS\SYSTEM32\winonm32.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - F:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - F:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: WLTRYSVC - Unknown owner - F:\WINDOWS\System32\wltrysvc.exe

BC AdBot (Login to Remove)

 


#2 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 15 July 2006 - 11:09 PM

Hi,

Welcome to BleepingComputer. I will be more than happy to help you work on your problems.
Please give me some time to review your log as this can be a lengthy process. As soon as a BleepingComputer Staff Expert reviews my fix, I will post it for you.
In the mean time, if any problems occur. Please let me know.
Please only use this topic to reply to. Do not start another thread.
The fixes we will use are specific to your problems and should only be used for this issue on this machine.
If you’re unsure of anything at all please stop and ask!
agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 17 July 2006 - 02:10 AM

Please install an antivirus and firewall first, because it doesn't make any sense to remove malware from your system if no scanner is preventing them from reinfecting your computer.

AVG Anti-Virus, Avira OR Avast Home Edition are good FREE antivirus scanners.
After installing ONE antivirus program, download the latest signatures, and do a full system scan.

Without a firewall your computer is susceptible to being hacked and taken over:
Kerio Personal Firewall OR ZoneAlarm are good FREE firewalls.

Read Understanding and using firewalls to learn more about using firewalls

VERY IMPORTANT: Never install more than ONE antivirus scanner and firewall on your system! Several together can give problems and decrease their reliability and effectiveness!

*******************************

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

*******************************

Please download VundoFix.exe to your desktop.* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens,Click Scan for Vundo button.
* Once the scan is complete, Right Click inside the listbox (white box) and click add more files
* Copy&Paste the 2 entries below into the top 2 boxes

o F:\WINDOWS\system32\byxxvuv.dll
o F:\WINDOWS\system32\vuvxxyb.*

* Click Add Files and Click Close Window
* Click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.
*******************************

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

*******************************

You are currently using HijackThis from a temporary directory, this can cause problems.
HijackThis creates backups, these are needed in case of any recovery issues.
Please create a directory on your C:\ drive called C:\HJT, download and unzip HijackThis into that directory. Run the program from that directory from now on.

STEPS For Creating Folder
1. Please go to My Computer, open your C:\ drive, Select: New >> Folder and name the folder HJT.

2. Download HijackThis to the new folder:

3. Double Click on 'HijackThis.zip' to extract and install HijackThis.exe to the new folder.

4. Close ALL windows except HJT

5. SCAN with HJT and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')

6. POST the log in this thread using 'Add Reply' (Ctrl-V to 'paste')
Please make sure you post the entire log including the top portion:

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

*******************************

In your next post, please include
  • new hijackthis log
  • uninstall list
  • c:\vundofix.txt
  • smitfraudfix log

agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#4 Spa1982

Spa1982
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 17 July 2006 - 08:14 AM

Hi there.

Thanks you very much for your help, I really appreciate it.
I have folloed your instructions, however I had some problems:

1. I can't seem to create a HJT uninstall list log file. When I click "save list" there is some HD activity but nothing is created, I have done a system search but nothing... very curious.

2. I have downloaded Vundofix but after I close it, it never re-appears! It did create this txt file in my root directory:

VundoFix V5.1.4

Checking Java version...

Sun Java not detected
Scan started at 14:02:29 17/07/2006

Listing files found while scanning....

No infected files were found.

~~~~~~~~~

I managed to create the rapport.txt and a new HJT log please find them below. Many thanks again.

Logfile of HijackThis v1.99.1
Scan saved at 14:03:26, on 17/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\WINDOWS\system32\brsvc01a.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\brss01a.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\Program Files\ewido anti-spyware 4.0\guard.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\wltrysvc.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\System32\bcmwltry.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\QuickTime\qttask.exe
F:\WINDOWS\system32\WgaTray.exe
F:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
F:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
F:\Program Files\ipwins\ipwins.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\Program Files\Common Files\{A4FECFBE-0353-2057-1206-00042100002c}\Update.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
F:\Program Files\Messenger\msmsgs.exe
F:\PROGRA~1\RACLE~1\RVICES~1.EXE
F:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
F:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
F:\Program Files\TClock\TClock.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Documents and Settings\David\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "F:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "F:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "F:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" -onlytray
O4 - HKLM\..\Run: [IpWins] "F:\Program Files\ipwins\ipwins.exe"
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] "F:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "F:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Eitp] "F:\DOCUME~1\David\APPLIC~1\WNSXS~1\dvdplay.exe" -vt yazb
O4 - HKCU\..\Run: [TClock.exe] F:\Program Files\TClock\tclock_install.exe
O4 - HKCU\..\Run: [Hdvssrfx] F:\PROGRA~1\RACLE~1\RVICES~1.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00000000-0000-0000-0000-100005000004} - http://code.trasferimento.biz/l/81cfc845dd...faa82523_35.exe
O16 - DPF: {198DF2DC-7DF2-7D88-D4A5-5A0C7AD57599} - http://85.255.113.214/1/gdnFR2339.exe
O16 - DPF: {306B8C73-4A12-2EBA-D719-3F0C03035CB4} - http://85.255.113.214/1/gdnFR2339.exe
O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} (CVideoEgg_ActiveXCtl Object) - http://update.videoegg.com/wintel/VideoEggPublisher.exe
O16 - DPF: {4102A823-AA30-07CD-2459-32F3630E7F2D} - http://85.255.113.214/1/gdnFR2339.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by7fd.bay7.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: F:\WINDOWS\system32\scanregw.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - F:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - F:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - F:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - F:\WINDOWS\System32\wltrysvc.exe

~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~

SmitFraudFix v2.70

Scan done at 13:53:01.27, 17/07/2006
Run from F:\Documents and Settings\David\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» F:\


»»»»»»»»»»»»»»»»»»»»»»»» F:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» F:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» F:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» F:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» F:\Documents and Settings\David\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» F:\DOCUME~1\David\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop

F:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» F:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#5 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 17 July 2006 - 12:39 PM

Please to go start --> run and type in services.msc

Under the "Name" column, scroll down to task scheduler.

Please check that under the "Status" column, it is set to started, and under "Startup Type" column, it is set to automatic. If it is not set to automatic, please <<right click>> on it and select Properties; Then under "Startup type" change it to automatic. Then click Apply, and reboot your computer.

**********************

Some malware is preventing Hijackthis from carrying out its functions.

Please rename Hijackthis to hjt and post a new hijackthis log and an uninstall list in your next post.

thanks,
agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#6 Spa1982

Spa1982
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 17 July 2006 - 02:12 PM

Hello again, once again I'd like to thank you for your help, I hope we can get my machine back on track!

The services.msc was all set up normally. I changed the name of hiijack this to HJT and it seemed to have the desired effect.

Here are the files as requested:

AC3Filter (remove only)
Adaptec Easy CD Creator
Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0.7
Adobe® Photoshop® Album Starter Edition 3.0
AFPL Ghostscript 8.53
AFPL Ghostscript Fonts
ALi USB2.0 Driver
All-in-One DVD Player
AVG Free Edition
Barbie™ Mermaid Adventure™ CD-ROM
BT Voyager Wireless Utility
DATA BECKER CD-Copier
EPSON Printer Software
EXPStudio Audio Editor FREE 3.97
ffdshow (remove only)
Google Earth
GSview 4.8
HijackThis 1.99.1
IpWins
Macromedia Flash Player 8
Microsoft Office Professional Edition 2003
Microsoft Windows XP Video Decoder Checkup Utility
MSN
MSN Gaming Zone
Music Visualizer Library 1.4.00
Nokia Connectivity Cable Driver
Nokia PC Suite
OpenMG Limited Patch 3.1-02-10-22-01
OpenMG Limited Patch 3.1-02-10-22-02
OpenMG Limited Patch 3.1-02-12-04-01
OpenMG Secure Module 3.1
Panda ActiveScan
Picasa 2
QuickTime
RealPlayer
Roguescanfix 1.4
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Serif PhotoPlus 6.0
Smart Audio Converter
SonicStage 1.5.06
Spybot - Search & Destroy 1.4
STOIK Capturer
UnRar for Windows v1.0
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinMX
Yazzle by OIN
Yazzle by OIN
ZoneAlarm

~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 20:11:39, on 17/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\WINDOWS\system32\brsvc01a.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\brss01a.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\Program Files\ewido anti-spyware 4.0\guard.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\wltrysvc.exe
F:\WINDOWS\System32\bcmwltry.exe
F:\WINDOWS\system32\WgaTray.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
F:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
F:\Program Files\ipwins\ipwins.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\Program Files\Common Files\{A4FECFBE-0353-2057-1206-00042100002c}\Update.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
F:\Program Files\Messenger\msmsgs.exe
F:\PROGRA~1\RACLE~1\RVICES~1.EXE
F:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
F:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
F:\Program Files\TClock\TClock.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\notepad.exe
F:\Documents and Settings\David\My Documents\hijackthis\hjt.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - F:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: (no name) - {C62C58BA-00BA-4C2C-B682-2203923AE915} - F:\WINDOWS\system32\tuvuv.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "F:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "F:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "F:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" -onlytray
O4 - HKLM\..\Run: [IpWins] "F:\Program Files\ipwins\ipwins.exe"
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] "F:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "F:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [TClock.exe] F:\Program Files\TClock\tclock_install.exe
O4 - HKCU\..\Run: [Hdvssrfx] F:\PROGRA~1\RACLE~1\RVICES~1.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00000000-0000-0000-0000-100005000004} - http://code.trasferimento.biz/l/81cfc845dd...faa82523_35.exe
O16 - DPF: {198DF2DC-7DF2-7D88-D4A5-5A0C7AD57599} - http://85.255.113.214/1/gdnFR2339.exe
O16 - DPF: {306B8C73-4A12-2EBA-D719-3F0C03035CB4} - http://85.255.113.214/1/gdnFR2339.exe
O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} (CVideoEgg_ActiveXCtl Object) - http://update.videoegg.com/wintel/VideoEggPublisher.exe
O16 - DPF: {4102A823-AA30-07CD-2459-32F3630E7F2D} - http://85.255.113.214/1/gdnFR2339.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by7fd.bay7.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: F:\WINDOWS\system32\scanregw.dll
O20 - Winlogon Notify: tuvuv - F:\WINDOWS\system32\tuvuv.dll
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winonm32 - F:\WINDOWS\SYSTEM32\winonm32.dll
O20 - Winlogon Notify: WRNotifier - F:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - F:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - F:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - F:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - F:\WINDOWS\System32\wltrysvc.exe

#7 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 18 July 2006 - 02:11 AM

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.


Please remove these entries from Add or Remove Programs in the Control Panel(if present):

IpWins
Yazzle by OIN
Yazzle by OIN

The following are optional; however, any time your are running any type of P2P application, you are FAR more prone to infection by malware. Your current infections are likely due to P2P use. At the VERY LEAST, please refrain from using any p2p programs while we are cleaning your computer:

WinMX

Please note any other programs that you dont recognize in that list in your next response

(an easy way to get to Add or Remove programs is to go to start-->run and type appwiz.cpl)

We need to run Vundofix again:* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens,Click Scan for Vundo button.
* Once the scan is complete, Right Click inside the listbox (white box) and click add more files
* Copy&Paste the 2 entries below into the top 2 boxes

o F:\WINDOWS\system32\tuvuv.dll
o F:\WINDOWS\system32\vuvut.*

* Click Add Files and Click Close Window
* Click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: If Vundofix never re-opens, please try running vundofix again, but without the check next to "Run VundoFix as a task."

***************************************

I notice you already have Ewido Installed; Open Ewido
  • On the main screen under Your Computer's security.
  • Click on Change state next to Resident shield. It should now change to inactive.
  • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
  • Wait until you see the Update succesfull message.
    Note: If the Update now option is grayed out, follow the steps below.
  • Click on Update on the toolbar.
  • Under Manual update, click on the Start Update button.
  • Wait until you see the Update succesfull message.
[*]Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
[/list]If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update.

Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

***************************************

Go to Start > Run
Type:regedit
Click OK.
  • On the leftside, click to highlight My Computer at the top.
  • Go up to "File > Export"
    • Make sure in that window there is a tick next to "All" under Export Branch.
      Leave the "Save As Type" as "Registration Files".
      Under "Filename" put backup
  • Choose to save it to C:\ or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
  • Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.

**********************
  • Copy the contents of the Quote Box below to Notepad.
  • Name the file as fix.reg
  • Change the Save as Type to All Files
  • and Save it on the desktop

REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{A4FECFBE-0353-2057-1206-00042100002c}"=-

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A4FECFBE-0353-2057-1206-00042100002c}]


Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below (if present).

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - F:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: (no name) - {C62C58BA-00BA-4C2C-B682-2203923AE915} - F:\WINDOWS\system32\tuvuv.dll
O4 - HKLM\..\Run: [IpWins] "F:\Program Files\ipwins\ipwins.exe"
O4 - HKCU\..\Run: [TClock.exe] F:\Program Files\TClock\tclock_install.exe
O4 - HKCU\..\Run: [Hdvssrfx] F:\PROGRA~1\RACLE~1\RVICES~1.EXE
O16 - DPF: {198DF2DC-7DF2-7D88-D4A5-5A0C7AD57599} - http://85.255.113.214/1/gdnFR2339.exe
O16 - DPF: {306B8C73-4A12-2EBA-D719-3F0C03035CB4} - http://85.255.113.214/1/gdnFR2339.exe
O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} (CVideoEgg_ActiveXCtl Object) - http://update.videoegg.com/wintel/VideoEggPublisher.exe
O16 - DPF: {4102A823-AA30-07CD-2459-32F3630E7F2D} - http://85.255.113.214/1/gdnFR2339.exe
O20 - AppInit_DLLs: F:\WINDOWS\system32\scanregw.dll
O20 - Winlogon Notify: tuvuv - F:\WINDOWS\system32\tuvuv.dll
O20 - Winlogon Notify: winonm32 - F:\WINDOWS\SYSTEM32\winonm32.dll

Now close all windows other than HiJackThis, then click Fix Checked. close HijackThis.

Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.

***************************************

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

***************************************

Next, we need to Reveal Hidden Files

1. Click Start.
2. Open My Computer.
3. Select Tools menu
4. Click Folder Options.
5. Select the View Tab.
6. Select Show hidden files and folders in the Hidden files and folders section.
7. Uncheck Hide protected operating system files (recommended) option.
8. Uncheck the Hide file extensions for known file types option.
9. Click Yes.
10. Click OK.

***************************************

Using Windows Explorer/My Computer, please delete the following files/folders if still present:

F:\WINDOWS\SYSTEM32\winonm32.dll << This file
F:\WINDOWS\system32\tuvuv.dll << This file
F:\WINDOWS\system32\scanregw.dll << This file
F:\Documents and Settings\All Users\Desktop\Security Troubleshooting.url << This file
F:\Program Files\RACLE~1 << This folder that begins with the letters RACLE
F:\Program Files\TClock << This folder
F:\Program Files\ipwins << This folder
F:\Program Files\Common Files\{A4FECFBE-0353-2057-1206-00042100002c}\ << this folder

If you get an error when deleting a file, <<right click>> on the file and check to see if the read only attribute is checked. If it is uncheck it and try again.

Please note any files/folders you couldn't find or delete in your next post.

***************************************

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Then, Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
***************************************

reboot your system back into Normal Mode

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
in your next post, please include
  • new hijackthis log
  • ewido log
  • panda log
Your may need several replies to post the requested logs, otherwise they might get cut off.

*also let me know how your computer is running at the moment and if any problems persist.
agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#8 Spa1982

Spa1982
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 18 July 2006 - 08:02 AM

Hello again, thanks for your detailed instructions, I have tried to follow

them as best as I could. I'm still getting some pop-ups, in particular one

that says "Winantivirus pro 2006". Also my system seems a bit sluggish and

prone to crash.

I had a couple of problems (see below) but managed to complete most of the

instructions.

Again, Vundofix didn't re-appear despite your suggestions.

In Ewido, I couldn't change the state in "your computers security" to

"resident shield". The option just said "n/a".

I had an unexpected error whilst fixing the checked items in Hijackthis (see

report below)

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20

- AppInit_DLLs: F:\WINDOWS\system32\scanregw.dll)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.
~~~~~~~~~~~~~~~~~~~

I managed to complete the scan, not sure if it was disruped in any way, I'll

post an updated HJT log later in the document.

Next you asked me to delete some files and folders in Safe Mode. I was able

to delete most of them, the ones that didn't allow me were:

F:\windows\ststem32\tuvuv.dll and scanregw.dll (the latter I had a problem

with during the HJT fix also)

All the others did allow me to delete or were not present.
Here are the logs you asked for:

Logfile of HijackThis v1.99.1
Scan saved at 13:54:15, on 18/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\brsvc01a.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\brss01a.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\Program Files\ewido anti-spyware 4.0\guard.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\wltrysvc.exe
F:\WINDOWS\System32\bcmwltry.exe
F:\WINDOWS\system32\WgaTray.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
F:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
F:\Program Files\Messenger\msmsgs.exe
F:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
F:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
F:\WINDOWS\system32\notepad.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Documents and Settings\David\My Documents\hijackthis\hjt.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

wmplayer.exe //ICWLaunch
O2 - BHO: (no name) - {B331BCEE-B1A6-4AAF-9481-F877C833296B} -

F:\WINDOWS\system32\tuvuv.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe"

bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "F:\Program

Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "F:\Program Files\Adobe\Photoshop

Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication]

"F:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" -onlytray
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] "F:\Program Files\Nokia\Nokia PC Suite

6\PcSync2.exe" /NoDialog
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe"

/background
O4 - HKCU\..\Run: [RealPlayer] "F:\Program

Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {00000000-0000-0000-0000-100005000004} -

http://code.trasferimento.biz/l/81cfc845dd...faa82523_35.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://by7fd.bay7.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: scanregw.dll
O20 - Winlogon Notify: tuvuv - F:\WINDOWS\system32\tuvuv.dll
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - F:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd

- F:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. -

F:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation -

F:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

F:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - F:\WINDOWS\System32\wltrysvc.exe

N.B. The other requested logs are in the following post....

#9 Spa1982

Spa1982
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 18 July 2006 - 08:04 AM

The other requested logs are below.

~~~~~~~~~~~~~~~~~~~~~~

I think this was the panda log:


Incident

Status Location







Spyware:spyware/marketscore

Not disinfected f:\windows\system32\rk.bin






Spyware:spyware/surfsidekick

Not disinfected F:\Documents and Settings\David\Local

Settings\Temporary Internet Files\Ssk.log




Spyware:Cookie/PointRoll

Not disinfected F:\Documents and

Settings\David\Cookies\david@ads.pointroll[2].txt






Potentially unwanted tool:Application/Processor

Not disinfected F:\Documents and

Settings\David\Desktop\SmitfraudFix\Process.exe






Potentially unwanted tool:Application/Processor

Not disinfected F:\Documents and

Settings\David\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]






Potentially unwanted tool:Application/Processor

Not disinfected F:\Documents and

Settings\David\Desktop\smitRem\Process.exe






Potentially unwanted tool:Application/Processor

Not disinfected F:\Documents and

Settings\David\Desktop\smitRem.exe[smitRem/Process.exe]

~~~~~~~~~~~~~~~~~~~~~~~
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 13:13:52 18/07/2006

+ Scan result:



F:\Program Files\Оracle\ѕеrvices.exe -> Adware.PurityScan : Cleaned with

backup (quarantined).
F:\WINDOWS\system32\scanregw.dll -> Adware.PurityScan : Cleaned with backup

(quarantined).
F:\WINDOWS\system32\АрpPatch\__delete_on_reboot__m_ѕ_i_e_x_e_c_._e_x_e_ ->

Adware.PurityScan : Cleaned with backup (quarantined).
[1748] F:\WINDOWS\system32\scanregw.dll -> Adware.PurityScan : Error during

cleaning.
[228] F:\WINDOWS\system32\scanregw.dll -> Adware.PurityScan : Error during

cleaning.
[276] F:\WINDOWS\system32\scanregw.dll -> Adware.PurityScan : Error during

cleaning.
[288] F:\WINDOWS\system32\scanregw.dll -> Adware.PurityScan : Error during

cleaning.
[448] F:\WINDOWS\system32\scanregw.dll -> Adware.PurityScan : Error during

cleaning.
[512] F:\WINDOWS\system32\scanregw.dll -> Adware.PurityScan : Error during

cleaning.
[580] F:\WINDOWS\system32\scanregw.dll -> Adware.PurityScan : Error during

cleaning.
F:\Documents and Settings\David\My

Documents\hijackthis\backups\backup-20060718-111516-528.dll ->

Adware.Virtumonde : Cleaned with backup (quarantined).
F:\WINDOWS\system32\byxxvuv.dll -> Adware.Virtumonde : Cleaned with backup

(quarantined).
F:\WINDOWS\system32\tuvuv.dll -> Adware.Virtumonde : Cleaned with backup

(quarantined).
F:\Documents and Settings\Paul\FQFBall\Program_Files_from_QF\Broderbund\The

Print Shop Photo Pro\System\Randomize.dll -> Backdoor.Ralpha : Cleaned with

backup (quarantined).
F:\Documents and Settings\Paul\FQFBall\Various_Files\WINDOWS\Local

Settings\Temporary Internet Files\Content.IE5\WXW5GDAV\Porn[1].exe ->

Dialer.BTV : Cleaned with backup (quarantined).
F:\Documents and

Settings\Paul\FQFBall\Various_Files\WINDOWS\SYSTEM\Celebs-Nude-uninstall.exe

-> Dialer.Generic : Cleaned with backup (quarantined).
F:\Program Files\All-in-One DVD Player\Partner\installer_NPS.exe ->

Downloader.Adload.a : Cleaned with backup (quarantined).
F:\Documents and Settings\David\Application Data\WіnSxS\dvdplay.exe ->

Downloader.PurityScan.bx : Cleaned with backup (quarantined).
F:\Documents and Settings\Paul\FQFBall\Various_Files\WINDOWS\Temporary

Internet Files\Content.IE5\6XCRMRG1\Browser_Plugin[1].cab/cmb_235003.exe ->

Heuristic.Win32.Dialer : Ignored.
F:\Documents and Settings\Paul\FQFBall\020915Paul-misc\Utilities\VB code

Spion and Toshiba troubleshooting\SPI-2\IKS.REG -> Logger.IKSlog.a : Cleaned

with backup (quarantined).
F:\Documents and Settings\Paul\FQFBall\020915Paul-misc\Utilities\VB code

Spion and Toshiba troubleshooting\SPI-2\IKS.SYS -> Logger.IKSlog.a : Cleaned

with backup (quarantined).
F:\Documents and Settings\Paul\FQFBall\Various_Files\WINDOWS\Local

Settings\Temporary Internet Files\Content.IE5\49CJAR4D\iframe1[1].html ->

Not-A-Virus.Exploit.HTML.Mht : Ignored.
F:\Documents and Settings\Paul\FQFBall\Various_Files\WINDOWS\Temporary

Internet Files\Content.IE5\JZZYHAJZ\musicplus[1].htm ->

Not-A-Virus.Exploit.HTML.Mht : Ignored.
F:\WINDOWS\system32\components\flx3.dll -> Not-A-Virus.Hoax.Win32.Renos.dw :

Ignored.
F:\WINDOWS\system32\components\flx5.dll -> Not-A-Virus.Hoax.Win32.Renos.dw :

Ignored.
F:\Documents and

Settings\Suzanne\Cookies\050511_cookies_deleted\suzanne@180solutions[1].txt

-> TrackingCookie.180solutions : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\cookies_deleted_050520\suzanne@180solutions[1].txt

-> TrackingCookie.180solutions : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@247realmedia[1].txt ->

TrackingCookie.247realmedia : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1003\Df5.txt ->

TrackingCookie.247realmedia : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1004\Df3.txt ->

TrackingCookie.247realmedia : Cleaned.
F:\Documents and Settings\Paul\Cookies\paul@2o7[1].txt -> TrackingCookie.2o7

: Cleaned.
F:\Documents and Settings\Paul\FQFBall\Various_Files\WINDOWS\Cookies\paul

nesvadba@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\050511_cookies_deleted\suzanne@2o7[2].txt ->

TrackingCookie.2o7 : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\cookies_deleted_050520\suzanne@2o7[1].txt ->

TrackingCookie.2o7 : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@2o7[2].txt ->

TrackingCookie.2o7 : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\suzanne@chicagosuntimes.122.2o7[1].txt ->

TrackingCookie.2o7 : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@msnportal.112.2o7[1].txt ->

TrackingCookie.2o7 : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@opodo.122.2o7[1].txt ->

TrackingCookie.2o7 : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@skyeurope.122.2o7[2].txt ->

TrackingCookie.2o7 : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1003\Df35.txt ->

TrackingCookie.2o7 : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1003\Df58.txt ->

TrackingCookie.2o7 : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1004\Df2.txt ->

TrackingCookie.2o7 : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1004\Df83.txt ->

TrackingCookie.2o7 : Cleaned.
F:\Documents and

Settings\Paul\Cookies\Cookies_deleted_060613\paul@aavalue[2].txt ->

TrackingCookie.Aavalue : Cleaned.
F:\Documents and

Settings\Paul\Cookies\Cookies_deleted_060613\paul@eztracks.aavalue[2].txt ->

TrackingCookie.Aavalue : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\050511_cookies_deleted\suzanne@ads.addynamix[1].txt

-> TrackingCookie.Addynamix : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1003\Df12.txt ->

TrackingCookie.Addynamix : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1004\Df19.txt ->

TrackingCookie.Addynamix : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1003\Df6.txt ->

TrackingCookie.Adition : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@czgde.adocean[1].txt ->

TrackingCookie.Adocean : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@skgde.adocean[2].txt ->

TrackingCookie.Adocean : Cleaned.
F:\Documents and Settings\Paul\FQFBall\Various_Files\WINDOWS\Cookies\paul

nesvadba@adorigin[1].txt -> TrackingCookie.Adorigin : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@adrevolver[1].txt ->

TrackingCookie.Adrevolver : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1003\Df10.txt ->

TrackingCookie.Adrevolver : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1004\Df17.txt ->

TrackingCookie.Adrevolver : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\050511_cookies_deleted\suzanne@z1.adserver[1].txt ->

TrackingCookie.Adserver : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@z1.adserver[1].txt ->

TrackingCookie.Adserver : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1004\Df153.txt ->

TrackingCookie.Adserver : Cleaned.
F:\Documents and

Settings\Paul\Cookies\Cookies_deleted_060613\paul@adtech[2].txt ->

TrackingCookie.Adtech : Cleaned.
F:\Documents and Settings\Paul\Cookies\paul@adtech[1].txt ->

TrackingCookie.Adtech : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\cookies_deleted_050520\suzanne@adtech[1].txt ->

TrackingCookie.Adtech : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@adtech[2].txt ->

TrackingCookie.Adtech : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1004\Df21.txt ->

TrackingCookie.Adtech : Cleaned.
F:\Documents and

Settings\Paul\Cookies\Cookies_deleted_060613\paul@advertising[2].txt ->

TrackingCookie.Advertising : Cleaned.
F:\Documents and Settings\Paul\Cookies\paul@advertising[2].txt ->

TrackingCookie.Advertising : Cleaned.
F:\Documents and Settings\Paul\Hazels_HD\TEMP\aprsl@advertising[1].txt ->

TrackingCookie.Advertising : Cleaned.
F:\Documents and

Settings\Paul\Hazels_HD\TEMP\aprsl@servedby.advertising[1].txt ->

TrackingCookie.Advertising : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\050511_cookies_deleted\suzanne@advertising[1].txt ->

TrackingCookie.Advertising : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\050511_cookies_deleted\suzanne@servedby.advertising[

1].txt -> TrackingCookie.Advertising : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\cookies_deleted_050520\suzanne@advertising[2].txt ->

TrackingCookie.Advertising : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\cookies_deleted_050520\suzanne@servedby.advertising[

2].txt -> TrackingCookie.Advertising : Cleaned.
F:\Documents and

Settings\Paul\Cookies\Cookies_deleted_060613\paul@adviva[2].txt ->

TrackingCookie.Adviva : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\050511_cookies_deleted\suzanne@adviva[2].txt ->

TrackingCookie.Adviva : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\cookies_deleted_050520\suzanne@adviva[1].txt ->

TrackingCookie.Adviva : Cleaned.
F:\Documents and

Settings\Paul\Cookies\Cookies_deleted_060613\paul@atdmt[2].txt ->

TrackingCookie.Atdmt : Cleaned.
F:\Documents and Settings\Paul\Cookies\paul@atdmt[2].txt ->

TrackingCookie.Atdmt : Cleaned.
F:\Documents and Settings\Paul\Hazels_HD\TEMP\aprsl@atdmt[2].txt ->

TrackingCookie.Atdmt : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\050511_cookies_deleted\suzanne@atdmt[2].txt ->

TrackingCookie.Atdmt : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\cookies_deleted_050520\suzanne@atdmt[2].txt ->

TrackingCookie.Atdmt : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@atdmt[2].txt ->

TrackingCookie.Atdmt : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1003\Df14.txt ->

TrackingCookie.Atdmt : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1003\Df60.txt ->

TrackingCookie.Atdmt : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\cookies_deleted_050520\suzanne@bfast[1].txt ->

TrackingCookie.Bfast : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\cookies_deleted_050520\suzanne@bfast[2].txt ->

TrackingCookie.Bfast : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@bfast[2].txt ->

TrackingCookie.Bfast : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\050511_cookies_deleted\suzanne@bluestreak[1].txt ->

TrackingCookie.Bluestreak : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\cookies_deleted_050520\suzanne@bluestreak[1].txt ->

TrackingCookie.Bluestreak : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\cookies_deleted_050520\suzanne@bluestreak[2].txt ->

TrackingCookie.Bluestreak : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@bluestreak[2].txt ->

TrackingCookie.Bluestreak : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1004\Df31.txt ->

TrackingCookie.Bluestreak : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@uk.bpath[1].txt ->

TrackingCookie.Bpath : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@citi.bridgetrack[2].txt ->

TrackingCookie.Bridgetrack : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@www.burstbeacon[1].txt ->

TrackingCookie.Burstbeacon : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@burstnet[1].txt ->

TrackingCookie.Burstnet : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@www.burstnet[1].txt ->

TrackingCookie.Burstnet : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1004\Df35.txt ->

TrackingCookie.Burstnet : Cleaned.
F:\Documents and

Settings\Paul\Cookies\Cookies_deleted_060613\paul@casalemedia[1].txt ->

TrackingCookie.Casalemedia : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@casalemedia[2].txt ->

TrackingCookie.Casalemedia : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1003\Df16.txt ->

TrackingCookie.Casalemedia : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1004\Df37.txt ->

TrackingCookie.Casalemedia : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1004\Df39.txt ->

TrackingCookie.Clickbank : Cleaned.
F:\Documents and Settings\Paul\FQFBall\Various_Files\WINDOWS\Cookies\paul

nesvadba@cz3.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
F:\Documents and Settings\Paul\FQFBall\Various_Files\WINDOWS\Cookies\paul

nesvadba@cz4.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
F:\Documents and Settings\Paul\FQFBall\Various_Files\WINDOWS\Cookies\paul

nesvadba@cz4.clickzs[3].txt -> TrackingCookie.Clickzs : Cleaned.
F:\Documents and Settings\Paul\FQFBall\Various_Files\WINDOWS\Cookies\paul

nesvadba@cz5.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
F:\Documents and Settings\Paul\FQFBall\Various_Files\WINDOWS\Cookies\paul

nesvadba@cz6.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned.
F:\Documents and Settings\Paul\FQFBall\Various_Files\WINDOWS\Cookies\paul

nesvadba@cz7.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned.
F:\Documents and Settings\Paul\FQFBall\Various_Files\WINDOWS\Cookies\paul

nesvadba@cz8.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
F:\Documents and Settings\Paul\FQFBall\Various_Files\WINDOWS\Cookies\paul

nesvadba@cz9.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
F:\Documents and Settings\Paul\FQFBall\Various_Files\WINDOWS\Cookies\paul

nesvadba@com[2].txt -> TrackingCookie.Com : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@com[1].txt ->

TrackingCookie.Com : Cleaned.
F:\Documents and Settings\Paul\FQFBall\Various_Files\WINDOWS\Cookies\paul

nesvadba@dbbsrv[1].txt -> TrackingCookie.Dbbsrv : Cleaned.
F:\Documents and

Settings\Paul\Cookies\Cookies_deleted_060613\paul@doubleclick[1].txt ->

TrackingCookie.Doubleclick : Cleaned.
F:\Documents and Settings\Paul\Cookies\paul@doubleclick[1].txt ->

TrackingCookie.Doubleclick : Cleaned.
F:\Documents and Settings\Paul\Hazels_HD\TEMP\aprsl@doubleclick[1].txt ->

TrackingCookie.Doubleclick : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\050511_cookies_deleted\suzanne@doubleclick[2].txt ->

TrackingCookie.Doubleclick : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\cookies_deleted_050520\suzanne@doubleclick[1].txt ->

TrackingCookie.Doubleclick : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@doubleclick[2].txt ->

TrackingCookie.Doubleclick : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1003\Df18.txt ->

TrackingCookie.Doubleclick : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1003\Df63.txt ->

TrackingCookie.Doubleclick : Cleaned.
F:\Documents and Settings\Paul\FQFBall\Various_Files\WINDOWS\Cookies\paul

nesvadba@epilot[1].txt -> TrackingCookie.Epilot : Cleaned.
F:\Documents and

Settings\Paul\Cookies\Cookies_deleted_060613\paul@e-2dj6wfmycmazikp.stats.eso

mniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
F:\Documents and

Settings\Paul\Cookies\paul@e-2dj6wflosndzwho.stats.esomniture[2].txt ->

TrackingCookie.Esomniture : Cleaned.
F:\Documents and

Settings\Paul\Cookies\paul@e-2dj6wjlogjdpwgo.stats.esomniture[2].txt ->

TrackingCookie.Esomniture : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\suzanne@e-2dj6wfloogcjckp.stats.esomniture[2].txt ->

TrackingCookie.Esomniture : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\suzanne@e-2dj6wfmycmazikp.stats.esomniture[2].txt ->

TrackingCookie.Esomniture : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\suzanne@e-2dj6wgkykjajsdp.stats.esomniture[2].txt ->

TrackingCookie.Esomniture : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\suzanne@e-2dj6wjmycocjieo.stats.esomniture[2].txt ->

TrackingCookie.Esomniture : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\suzanne@e-2dj6wjmykpd5oap.stats.esomniture[1].txt ->

TrackingCookie.Esomniture : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1003\Df64.txt ->

TrackingCookie.Esomniture : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1003\Df65.txt ->

TrackingCookie.Esomniture : Cleaned.
F:\Documents and

Settings\Paul\Cookies\Cookies_deleted_060613\paul@adopt.euroclick[1].txt ->

TrackingCookie.Euroclick : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@adopt.euroclick[2].txt ->

TrackingCookie.Euroclick : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1004\Df16.txt ->

TrackingCookie.Euroclick : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@as-us.falkag[1].txt ->

TrackingCookie.Falkag : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@as1.falkag[1].txt ->

TrackingCookie.Falkag : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@sel.as-us.falkag[2].txt ->

TrackingCookie.Falkag : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1004\Df100.txt ->

TrackingCookie.Falkag : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1004\Df25.txt ->

TrackingCookie.Falkag : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1004\Df26.txt ->

TrackingCookie.Falkag : Cleaned.
F:\Documents and

Settings\Paul\Cookies\Cookies_deleted_060613\paul@fastclick[2].txt ->

TrackingCookie.Fastclick : Cleaned.
F:\Documents and Settings\Paul\Cookies\paul@fastclick[1].txt ->

TrackingCookie.Fastclick : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1003\Df22.txt ->

TrackingCookie.Fastclick : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1003\Df32.txt ->

TrackingCookie.Fastclick : Cleaned.
F:\Documents and

Settings\Paul\Cookies\Cookies_deleted_060613\paul@ehg-logantod.hitbox[1].txt

-> TrackingCookie.Hitbox : Cleaned.
F:\Documents and

Settings\Paul\Cookies\Cookies_deleted_060613\paul@hitbox[1].txt ->

TrackingCookie.Hitbox : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\cookies_deleted_050520\suzanne@ehg-bcmb.hitbox[2].tx

t -> TrackingCookie.Hitbox : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\cookies_deleted_050520\suzanne@hitbox[1].txt ->

TrackingCookie.Hitbox : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\cookies_deleted_050520\suzanne@phg.hitbox[1].txt ->

TrackingCookie.Hitbox : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@counter2.hitslink[1].txt ->

TrackingCookie.Hitslink : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\cookies_deleted_050520\suzanne@ivwbox[2].txt ->

TrackingCookie.Ivwbox : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@kmpads[2].txt ->

TrackingCookie.Kmpads : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\050511_cookies_deleted\suzanne@server.iad.liveperson

[2].txt -> TrackingCookie.Liveperson : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\suzanne@server.iad.liveperson[2].txt ->

TrackingCookie.Liveperson : Cleaned.
F:\Documents and

Settings\Paul\Cookies\Cookies_deleted_060613\paul@mediaplex[1].txt ->

TrackingCookie.Mediaplex : Cleaned.
F:\Documents and Settings\Paul\Cookies\paul@mediaplex[2].txt ->

TrackingCookie.Mediaplex : Cleaned.
F:\Documents and Settings\Paul\Hazels_HD\TEMP\aprsl@mediaplex[1].txt ->

TrackingCookie.Mediaplex : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\050511_cookies_deleted\suzanne@mediaplex[1].txt ->

TrackingCookie.Mediaplex : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\cookies_deleted_050520\suzanne@mediaplex[2].txt ->

TrackingCookie.Mediaplex : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@mediaplex[1].txt ->

TrackingCookie.Mediaplex : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1003\Df72.txt ->

TrackingCookie.Mediaplex : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\suzanne@www.myaffiliateprogram[1].txt ->

TrackingCookie.Myaffiliateprogram : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@stat.onestat[2].txt ->

TrackingCookie.Onestat : Cleaned.
F:\Documents and Settings\Paul\Cookies\paul@data2.perf.overture[2].txt ->

TrackingCookie.Overture : Cleaned.
F:\Documents and Settings\Paul\Cookies\paul@perf.overture[1].txt ->

TrackingCookie.Overture : Cleaned.
F:\Documents and Settings\Paul\FQFBall\Various_Files\WINDOWS\Cookies\paul

nesvadba@overture[1].txt -> TrackingCookie.Overture : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\050511_cookies_deleted\suzanne@overture[2].txt ->

TrackingCookie.Overture : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\cookies_deleted_050520\suzanne@overture[1].txt ->

TrackingCookie.Overture : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\cookies_deleted_050520\suzanne@overture[2].txt ->

TrackingCookie.Overture : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@data3.perf.overture[2].txt

-> TrackingCookie.Overture : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@overture[1].txt ->

TrackingCookie.Overture : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@perf.overture[1].txt ->

TrackingCookie.Overture : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@ads.pointroll[2].txt ->

TrackingCookie.Pointroll : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1004\Df20.txt ->

TrackingCookie.Pointroll : Cleaned.
F:\Documents and Settings\Paul\FQFBall\Various_Files\WINDOWS\Cookies\paul

nesvadba@artemis.porntrack[2].txt -> TrackingCookie.Porntrack : Cleaned.
F:\Documents and Settings\Paul\Cookies\paul@qksrv[1].txt ->

TrackingCookie.Qksrv : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\cookies_deleted_050520\suzanne@qksrv[2].txt ->

TrackingCookie.Qksrv : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1004\Df88.txt ->

TrackingCookie.Qksrv : Cleaned.
F:\Documents and Settings\Paul\FQFBall\Various_Files\WINDOWS\Cookies\paul

nesvadba@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
F:\Documents and Settings\Paul\FQFBall\Various_Files\WINDOWS\Cookies\paul

nesvadba@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
F:\Documents and Settings\Paul\FQFBall\Various_Files\WINDOWS\Cookies\paul

nesvadba@questionmarket[3].txt -> TrackingCookie.Questionmarket : Cleaned.
F:\Documents and Settings\Paul\Hazels_HD\TEMP\aprsl@questionmarket[2].txt ->

TrackingCookie.Questionmarket : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\050511_cookies_deleted\suzanne@questionmarket[1].txt

-> TrackingCookie.Questionmarket : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\cookies_deleted_050520\suzanne@questionmarket[1].txt

-> TrackingCookie.Questionmarket : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@questionmarket[1].txt ->

TrackingCookie.Questionmarket : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1004\Df89.txt ->

TrackingCookie.Questionmarket : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@stats1.reliablestats[2].txt

-> TrackingCookie.Reliablestats : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@revenue[1].txt ->

TrackingCookie.Revenue : Cleaned.
F:\Documents and Settings\Paul\FQFBall\Various_Files\WINDOWS\Cookies\paul

nesvadba@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\050511_cookies_deleted\suzanne@edge.ru4[2].txt ->

TrackingCookie.Ru4 : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1004\Df46.txt ->

TrackingCookie.Ru4 : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\050511_cookies_deleted\suzanne@bs.serving-sys[1].txt

-> TrackingCookie.Serving-sys : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\050511_cookies_deleted\suzanne@serving-sys[1].txt ->

TrackingCookie.Serving-sys : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\cookies_deleted_050520\suzanne@serving-sys[2].txt ->

TrackingCookie.Serving-sys : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@bs.serving-sys[2].txt ->

TrackingCookie.Serving-sys : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@serving-sys[2].txt ->

TrackingCookie.Serving-sys : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1004\Df102.txt ->

TrackingCookie.Serving-sys : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\cookies_deleted_050520\suzanne@cs.sexcounter[2].txt

-> TrackingCookie.Sexcounter : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\cookies_deleted_050520\suzanne@counter10.sextracker[

1].txt -> TrackingCookie.Sextracker : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\cookies_deleted_050520\suzanne@sextracker[1].txt ->

TrackingCookie.Sextracker : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@statcounter[1].txt ->

TrackingCookie.Statcounter : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@anat.tacoda[1].txt ->

TrackingCookie.Tacoda : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@tacoda[1].txt ->

TrackingCookie.Tacoda : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1004\Df105.txt ->

TrackingCookie.Tacoda : Cleaned.
F:\Documents and

Settings\Paul\Cookies\Cookies_deleted_060613\paul@tradedoubler[2].txt ->

TrackingCookie.Tradedoubler : Cleaned.
F:\Documents and Settings\Paul\Cookies\paul@tradedoubler[2].txt ->

TrackingCookie.Tradedoubler : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\cookies_deleted_050520\suzanne@tradedoubler[2].txt

-> TrackingCookie.Tradedoubler : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@tradedoubler[1].txt ->

TrackingCookie.Tradedoubler : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1004\Df109.txt ->

TrackingCookie.Tradedoubler : Cleaned.
F:\Documents and Settings\Paul\Hazels_HD\TEMP\aprsl@trafficmp[2].txt ->

TrackingCookie.Trafficmp : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1004\Df110.txt ->

TrackingCookie.Trafficmp : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@tribalfusion[2].txt ->

TrackingCookie.Tribalfusion : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1003\Df48.txt ->

TrackingCookie.Tribalfusion : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1004\Df111.txt ->

TrackingCookie.Tribalfusion : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@pr.valueclick[1].txt ->

TrackingCookie.Valueclick : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@valueclick[2].txt ->

TrackingCookie.Valueclick : Cleaned.
F:\Documents and Settings\Paul\FQFBall\Various_Files\WINDOWS\Cookies\paul

nesvadba@www.web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@webstat[2].txt ->

TrackingCookie.Web-stat : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1003\Df77.txt ->

TrackingCookie.Web-stat : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@weborama[1].txt ->

TrackingCookie.Weborama : Cleaned.
F:\Documents and Settings\Paul\Cookies\paul@statse.webtrendslive[2].txt ->

TrackingCookie.Webtrendslive : Cleaned.
F:\Documents and

Settings\Suzanne\Cookies\cookies_deleted_050520\suzanne@statse.webtrendslive[

2].txt -> TrackingCookie.Webtrendslive : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@statse.webtrendslive[2].txt

-> TrackingCookie.Webtrendslive : Cleaned.
F:\Documents and Settings\Paul\Cookies\paul@ad.yieldmanager[1].txt ->

TrackingCookie.Yieldmanager : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@ad.yieldmanager[1].txt ->

TrackingCookie.Yieldmanager : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1003\Df7.txt ->

TrackingCookie.Yieldmanager : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1004\Df15.txt ->

TrackingCookie.Yieldmanager : Cleaned.
F:\Documents and Settings\Paul\FQFBall\Various_Files\WINDOWS\Cookies\paul

nesvadba@c4.zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
F:\Documents and Settings\Paul\FQFBall\Various_Files\WINDOWS\Cookies\paul

nesvadba@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
F:\Documents and Settings\Suzanne\Cookies\suzanne@zedo[1].txt ->

TrackingCookie.Zedo : Cleaned.
F:\RECYCLER\S-1-5-21-1292428093-688789844-1957994488-1004\Df1.txt ->

TrackingCookie.Zedo : Cleaned.


::Report end

#10 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 18 July 2006 - 11:25 AM

Please Open Notepad, click on "Format" at the top, and click on "Word Wrap" and make sure that it is unchecked. Having word wrap on makes your logs extremely difficult to read.

*********************************

Using Windows Explorer/My Computer, please delete the following files/folders if still present:

f:\windows\system32\rk.bin
F:\Documents and Settings\David\Local Settings\Temporary Internet Files\Ssk.log

*********************************

Download this file - combofix.exe

and save it to your desktop.

go to start --> run and copy/paste in the following:

"%userprofile%\desktop\combofix.exe" /v tuvuv

When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

In your next post, please include
  • new hijackthis log
  • combofix log
*use separate posts to ensure the logs don't get cut off!
agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#11 Spa1982

Spa1982
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 19 July 2006 - 11:08 AM

Hi, things have taken a turn for the worse! Basically I can't move with this machine anymore. XP seems to boot normally (maybe a bit sluggish). When I try and click Internet Explorer there is some HD activity and then nothing. When I click on anything on my desktop (My Computer, Recycle Bin etc etc) the screen goes blank for 1-2 seconds and then the desktop icons all appear again. This is very, very frustrating. I am accessing the internet from my laptop. Have you ever experienced anything like this before. I'm getting worried.

I can't carry out the tasks you asked for as a result of this. Any suggestions?

#12 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 19 July 2006 - 11:27 AM

hmm...that sounds bad.

Can you post a new hijackthis log?
agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#13 Spa1982

Spa1982
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 19 July 2006 - 12:14 PM

yip, it's bad!

I can boot to safe mode but actions are limited. I managed to run HJT from safe mode, however and I'll post the log below.


Logfile of HijackThis v1.99.1
Scan saved at 17:24:18, on 19/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\Documents and Settings\David\My Documents\hijackthis\hjt.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: (no name) - {73F6D94D-E2FD-4974-98B1-D078BD405774} - F:\WINDOWS\system32\tuvuv.dll
O2 - BHO: (no name) - {C423728F-E675-4951-8A8C-1FB83F0F96D3} - F:\WINDOWS\system32\tuvuv.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "F:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "F:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "F:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" -onlytray
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] "F:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "F:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00000000-0000-0000-0000-100005000004} - http://code.trasferimento.biz/l/81cfc845dd...faa82523_35.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by7fd.bay7.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: scanregw.dll
O20 - Winlogon Notify: tuvuv - F:\WINDOWS\system32\tuvuv.dll
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - F:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - F:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - F:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - F:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - F:\WINDOWS\System32\wltrysvc.exe




As for Combofix, I just managed to create a log, I'll post it in a seperate reply in case it gets cut off.

#14 Spa1982

Spa1982
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:37 PM

Posted 19 July 2006 - 12:16 PM

Here is the combofix log:Start Time= 19/07/2006 18:08:36.62
Running from: F:\Documents and Settings\David\Desktop

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))



2006-07-19 18:08 1,806 F:\WINDOWS\system32\vuvut.ini
2006-07-19 17:37 77,312 F:\WINDOWS\system32\vundofix.exe
2006-07-19 17:01 1,832 F:\WINDOWS\system32\perfstringbackup.ini
2006-07-19 11:00 547,681 F:\WINDOWS\system32\vuvut.bak2
2006-07-18 13:26 <DIR> F:\Program Files\quicktime
2006-07-18 13:26 <DIR> F:\Program Files\messenger
2006-07-18 13:26 <DIR> F:\Program Files\internet explorer
2006-07-18 13:26 <DIR> F:\Program Files\ewido anti-spyware 4.0
2006-07-18 13:26 <DIR> F:\Program Files\Common Files\scanner
2006-07-18 13:13 <DIR> F:\Program Files\?racle ( racle~1 )
2006-07-18 13:13 <DIR> F:\Documents and Settings\David\Application Data\w?nsxs ( wnsxs~1 )
2006-07-18 11:29 <DIR> F:\Program Files\common files
2006-07-17 18:28 <DIR> F:\Program Files\Common Files\adobe
2006-07-17 13:24 <DIR> F:\Program Files\zone labs
2006-07-17 13:22 776,096 F:\WINDOWS\system32\drivers\avg7core.sys
2006-07-17 13:22 4,288 F:\WINDOWS\system32\drivers\avg7rsw.sys
2006-07-17 13:22 27,776 F:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-07-17 13:22 23,424 F:\WINDOWS\system32\drivers\avgmfrs.sys
2006-07-17 13:22 <DIR> F:\Documents and Settings\David\Application Data\avg7
2006-07-17 13:21 <DIR> F:\Program Files\grisoft
2006-07-16 12:14 2 F:\WINDOWS\system32\wnscpsv.exe
2006-07-16 11:58 <DIR> F:\Documents and Settings\David\Application Data\stoik
2006-07-16 11:57 <DIR> F:\Program Files\stoik imaging
2006-07-15 18:55 <DIR> F:\Program Files\installshield installation information
2006-07-15 12:30 770 F:\WINDOWS\win.ini
2006-07-14 22:24 573,492 F:\WINDOWS\system32\tuvuv.dll
2006-07-14 18:49 <DIR> F:\Program Files\s?stem32 ( sstem3~1 )
2006-07-14 11:36 53,248 F:\WINDOWS\system32\process.exe
2006-07-14 11:36 42,496 F:\WINDOWS\system32\swreg.exe
2006-07-14 11:36 40,960 F:\WINDOWS\system32\swsc.exe
2006-07-14 11:36 288,417 F:\WINDOWS\system32\srchsts.exe
2006-07-14 10:35 <DIR> F:\Program Files\roguescanfix
2006-07-13 19:06 544 F:\WINDOWS\ulead32.ini
2006-07-13 17:39 <DIR> F:\Program Files\lavasoft
2006-07-13 17:39 <DIR> F:\Documents and Settings\David\Application Data\lavasoft
2006-07-11 18:28 <DIR> F:\Program Files\picasa2
2006-07-11 16:25 <DIR> F:\Documents and Settings\David\Application Data\nokia multimedia player
2006-07-11 16:19 <DIR> F:\Documents and Settings\David\Application Data\videoegg
2006-07-11 16:18 <DIR> F:\Program Files\videoegg
2006-07-11 15:21 161,221 F:\WINDOWS\expstudio audio editor free 3.97 uninstaller.exe
2006-07-11 15:21 <DIR> F:\Program Files\expstudio
2006-07-11 15:21 <DIR> F:\Program Files\Common Files\thraex software
2006-07-11 15:21 <DIR> F:\Program Files\Common Files\avsmedia
2006-07-08 18:57 <DIR> F:\Program Files\smartaudioconverter
2006-07-07 21:06 <DIR> F:\Documents and Settings\David\Application Data\datalayer
2006-07-07 20:31 <DIR> F:\Program Files\nokia
2006-07-07 20:30 <DIR> F:\Program Files\Common Files\pcsuite
2006-07-07 20:30 <DIR> F:\Program Files\Common Files\nokia
2006-07-07 20:30 <DIR> F:\Documents and Settings\David\Application Data\pc suite
2006-07-07 20:28 19 F:\WINDOWS\soundconverter.ini
2006-07-07 20:13 <DIR> F:\Documents and Settings\David\Application Data\leadertech
2006-07-07 20:13 <DIR> F:\Documents and Settings\David\Application Data\adobe
2006-07-07 20:12 <DIR> F:\Program Files\adobe
2006-07-07 16:44 252,928 F:\WINDOWS\wruninstall.dll
2006-07-07 16:43 208,896 F:\WINDOWS\system32\wrlogonntf.dll
2006-06-26 01:10 <DIR> F:\Program Files\easy cd creator
2006-06-18 17:54 83,960 F:\WINDOWS\system32\zlcomm.dll
2006-06-18 17:54 83,960 F:\WINDOWS\system32\vsdata.dll
2006-06-18 17:54 796,584 F:\WINDOWS\system32\libeay32_0.9.6l.dll
2006-06-18 17:54 71,672 F:\WINDOWS\system32\zlcommdb.dll
2006-06-18 17:54 71,672 F:\WINDOWS\system32\vsregexp.dll
2006-06-18 17:54 59,384 F:\WINDOWS\system32\vswmi.dll
2006-06-18 17:54 440,312 F:\WINDOWS\system32\vsutil.dll
2006-06-18 17:54 394,872 F:\WINDOWS\system32\vsdatant.sys
2006-06-18 17:54 268,280 F:\WINDOWS\system32\vspubapi.dll
2006-06-18 17:54 157,688 F:\WINDOWS\system32\vsinit.dll
2006-06-18 17:54 104,440 F:\WINDOWS\system32\vsmonapi.dll
2006-06-18 17:54 100,344 F:\WINDOWS\system32\vsxml.dll
2006-06-03 19:29 <DIR> F:\Documents and Settings\David\Application Data\utorrent
2006-05-31 18:05 <DIR> F:\Program Files\winunrar
2006-05-31 18:04 73,216 F:\WINDOWS\st6unst.exe
2006-05-31 18:04 286,720 F:\WINDOWS\setup1.exe
2006-05-30 12:47 <DIR> F:\Program Files\free download manager
2006-05-27 11:25 74 F:\WINDOWS\hdkctnts.ini
2006-05-27 11:18 <DIR> F:\Program Files\data becker
2006-05-26 20:15 24,576 F:\WINDOWS\system32\rmoc3260.dll
2006-05-23 17:25 402,736 F:\WINDOWS\system32\wgalogon.dll
2006-05-19 13:59 94,720 F:\WINDOWS\system32\iphlpapi.dll
2006-05-19 13:59 148,480 F:\WINDOWS\system32\dnsapi.dll
2006-05-19 13:59 111,616 F:\WINDOWS\system32\dhcpcsvc.dll
2006-05-17 09:20 <DIR> F:\Program Files\ghostgum
2006-05-17 09:19 <DIR> F:\Program Files\gs
2006-04-20 10:22 <DIR> F:\Program Files\outlook express
2006-04-20 10:22 <DIR> F:\Program Files\Common Files\system
2006-04-19 22:26 176,167 F:\WINDOWS\system32\rmocx.dll
2006-03-29 16:34 <DIR> F:\Documents and Settings\David\Application Data\sony corporation
2006-03-29 16:28 <DIR> F:\Program Files\sony
2006-03-29 16:15 <DIR> F:\Program Files\Common Files\sony shared
2006-03-29 16:14 <DIR> F:\Program Files\directx
2006-03-28 13:22 <DIR> F:\Program Files\msn gaming zone
2006-03-27 13:02 <DIR> F:\Documents and Settings\David\Application Data\real
2006-03-27 13:00 <DIR> F:\Program Files\Common Files\xing shared
2006-03-27 13:00 <DIR> F:\Program Files\Common Files\real
2006-03-27 12:59 <DIR> F:\Program Files\real
2006-03-26 17:58 <DIR> F:\Program Files\ca
2006-02-20 20:43 <DIR> F:\Program Files\Common Files\vivendi universal games
2006-02-20 20:43 <DIR> F:\Program Files\Common Files\installshield
2006-02-20 20:43 <DIR> F:\Program Files\barbie™
2006-02-18 01:06 <DIR> F:\Program Files\windows media player
2006-01-04 20:08 <DIR> F:\Program Files\microsoft works
2005-12-22 16:06 <DIR> F:\Program Files\netmeeting
2005-12-16 17:44 <DIR> F:\Documents and Settings\David\Application Data\help
2005-12-16 17:38 <DIR> F:\Documents and Settings\David\Application Data\microsoft
2005-11-27 17:46 <DIR> F:\Program Files\epson
2005-10-30 15:00 <DIR> F:\Program Files\spybot - search & destroy
2005-07-24 19:13 <DIR> F:\Documents and Settings\David\Application Data\nokia
2005-07-20 16:52 <DIR> F:\Program Files\google
2005-07-20 16:52 <DIR> F:\Documents and Settings\David\Application Data\google
2005-06-14 18:34 <DIR> F:\Program Files\serif
2005-04-12 23:30 <DIR> F:\Program Files\msn
2005-04-06 18:58 <DIR> F:\Documents and Settings\David\Application Data\adobeum
2005-03-30 14:55 <DIR> F:\Program Files\Common Files\microsoft shared
2005-03-28 18:45 <DIR> F:\Documents and Settings\David\Application Data\macromedia
2005-03-28 17:42 <DIR> F:\Documents and Settings\David\Application Data\identities
2005-03-26 14:49 <DIR> F:\Program Files\yahoo!
2005-03-25 03:21 <DIR> F:\Program Files\bt voyager
2005-03-23 15:39 <DIR> F:\Program Files\cliprex dvd player professional
2005-03-23 14:13 <DIR> F:\Program Files\ffdshow
2005-03-23 14:13 <DIR> F:\Program Files\ac3filter
2005-03-23 14:02 <DIR> F:\Program Files\fraunhofer dvd codecs
2005-03-23 13:32 <DIR> F:\Program Files\all-in-one dvd player
2005-03-13 22:29 <DIR> F:\Program Files\microsoft.net
2005-03-13 22:29 <DIR> F:\Program Files\microsoft activesync
2005-03-13 22:28 <DIR> F:\Program Files\microsoft office
2005-03-13 22:28 <DIR> F:\Program Files\Common Files\designer
2005-03-13 05:02 <DIR> F:\Program Files\uninstall information
2005-03-13 04:52 <DIR> F:\Program Files\xerox
2005-03-13 04:52 <DIR> F:\Program Files\microsoft frontpage
2005-03-13 04:49 <DIR> F:\Program Files\windowsupdate
2005-03-13 04:49 <DIR> F:\Program Files\online services
2005-03-13 04:48 <DIR> F:\Program Files\movie maker
2005-03-13 04:48 <DIR> F:\Program Files\Common Files\services
2005-03-13 04:48 <DIR> F:\Program Files\Common Files\mssoap
2005-03-13 04:46 <DIR> F:\Program Files\windows nt
2005-03-13 04:46 <DIR> F:\Program Files\complus applications
2005-03-13 04:30 <DIR> F:\Program Files\Common Files\speechengines
2005-03-13 04:30 <DIR> F:\Program Files\Common Files\odbc


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-19 18:05 536,399,872 F:\hiberfil.sys
2006-07-19 17:17 1,806 F:\WINDOWS\system32\vuvut.ini
2006-07-18 19:11 77,312 F:\WINDOWS\system32\VundoFix.exe
2006-07-17 13:52 53,248 F:\WINDOWS\system32\Process.exe
2006-07-17 13:52 42,496 F:\WINDOWS\system32\swreg.exe
2006-07-17 13:52 40,960 F:\WINDOWS\system32\swsc.exe
2006-07-17 13:52 288,417 F:\WINDOWS\system32\SrchSTS.exe
2006-07-17 13:24 83,960 F:\WINDOWS\system32\zlcomm.dll
2006-07-17 13:24 796,584 F:\WINDOWS\system32\libeay32_0.9.6l.dll
2006-07-17 13:24 71,672 F:\WINDOWS\system32\zlcommdb.dll
2006-07-17 13:24 71,672 F:\WINDOWS\system32\vsregexp.dll
2006-07-17 13:24 59,384 F:\WINDOWS\system32\vswmi.dll
2006-07-17 13:24 394,872 F:\WINDOWS\system32\vsdatant.sys
2006-07-17 13:24 268,280 F:\WINDOWS\system32\vspubapi.dll
2006-07-17 13:24 104,440 F:\WINDOWS\system32\vsmonapi.dll
2006-07-17 13:24 100,344 F:\WINDOWS\system32\vsxml.dll
2006-07-17 13:23 83,960 F:\WINDOWS\system32\vsdata.dll
2006-07-17 13:23 440,312 F:\WINDOWS\system32\vsutil.dll
2006-07-17 13:23 157,688 F:\WINDOWS\system32\vsinit.dll
2006-07-16 11:50 547,681 F:\WINDOWS\system32\vuvut.bak2
2006-07-15 12:30 208,896 F:\WINDOWS\system32\WRLogonNtf.dll
2006-07-15 12:29 684,032 F:\WINDOWS\libeay32.dll
2006-07-15 12:29 252,928 F:\WINDOWS\WRUninstall.dll
2006-07-15 12:29 155,648 F:\WINDOWS\ssleay32.dll
2006-07-14 22:24 573,492 F:\WINDOWS\system32\tuvuv.dll
2006-07-14 10:58 73,728 F:\WINDOWS\system32\asuninst.exe
2006-07-14 10:58 11,776 F:\WINDOWS\system32\ZPORT4AS.dll
2006-07-13 15:01 2 F:\WINDOWS\system32\wnscpsv.exe
2006-07-13 14:41 544 F:\WINDOWS\ulead32.ini
2006-07-13 14:41 26 F:\WINDOWS\dswplug.ini
2006-07-13 13:26 35,587 F:\WINDOWS\system32\rmusb20.EXE
2006-07-13 13:26 28,672 F:\WINDOWS\system32\Unusb20.exe
2006-07-13 13:26 177 F:\WINDOWS\system32\SETUP.INI
2006-07-13 13:26 12,288 F:\WINDOWS\system32\PCIVP.SYS
2006-07-13 12:39 53,760 F:\WINDOWS\system32\vfwwdm32.dll
2006-07-13 12:37 7,168 F:\WINDOWS\system32\hccoin.dll
2006-07-11 15:21 161,221 F:\WINDOWS\EXPStudio
2006-07-07 20:28 19 F:\WINDOWS\SoundConverter.INI
2006-06-26 01:10 47,616 F:\WINDOWS\system32\CDR4DLL.DLL
2006-06-26 01:09 48,128 F:\WINDOWS\system32\wnaspi32.dll
2006-06-26 01:09 299,008 F:\WINDOWS\uninst.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"BluetoothAuthenticationAgent"="\"rundll32.exe\" bthprops.cpl,,BluetoothAuthenticationAgent"
"QuickTime Task"="\"F:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"eTrust PestPatrol Active Protection"="\"F:\\Program Files\\CA\\eTrust PestPatrol\\PPActiveDetection.exe\""
"TkBellExe"="\"F:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Adobe Photo Downloader"="\"F:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"PCSuiteTrayApplication"="\"F:\\PROGRA~1\\Nokia\\NOKIAP~1\\LAUNCH~1.EXE\" -onlytray"
"AVG7_CC"="F:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"Zone Labs Client"="\"F:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="F:\\WINDOWS\\system32\\ctfmon.exe"
"PcSync"="\"F:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe\" /NoDialog"
"MSMSGS"="\"F:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"RealPlayer"="\"F:\\Program Files\\Real\\RealPlayer\\realplay.exe\" /RunUPGToolCommandReBoot"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="F:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="F:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="F:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="F:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"



Contents of the 'Scheduled Tasks' folder

Completion time: 19/07/2006 18:09:26.79
ComboFix ver 06.07.19.2 - This logfile is located at F:\ComboFix.txt

ComboFix.txt

#15 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 19 July 2006 - 01:07 PM

Hi,

are you unable to boot into normal mode and post a hijackthis log?
agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users