Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Think Im Infected By Vundo ><"


  • This topic is locked This topic is locked
19 replies to this topic

#1 memnark

memnark

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:58 PM

Posted 20 July 2006 - 08:20 AM

Hi, I recently received a message saying a trojan vundo found so i got a program called
Vundofix and said it was clean but just to be safe i posted a hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 11:14:14 PM, on 20/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\program files\valve\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Gigabyte\Gigabyte GN-WPKG Wireless PCI Adapter SoftAP\Installer\WINXP\RaConfig2500.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\12Ghosts\12popup.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\DOCUME~1\NATHAN~1\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mppdqxyhkjut.com/Y8RWbLskUTAF80...4Vn0pZ5cgK.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {702EA91C-1ACF-4772-8078-18F2B2EE1031} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: (no name) - {CC4EFC06-F87D-913F-38FF-6EE7E6D0F95A} - blank
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Show Love Atom Amok] C:\Documents and Settings\All Users\Application Data\dumbliveshowlove\Support Mpeg.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MessengerPlus3] "\" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: 12Ghosts Popup-Killer.lnk = C:\Program Files\12Ghosts\12popup.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GN-WPKG Utility.lnk = C:\Program Files\Gigabyte\Gigabyte GN-WPKG Wireless PCI Adapter SoftAP\Installer\WINXP\RaConfig2500.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winhab32 - C:\WINDOWS\SYSTEM32\winhab32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:58 PM

Posted 20 July 2006 - 06:45 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download Ewido Anti-spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode and post the results of the ewido scan report along with a new hijackthis log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 memnark

memnark
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:58 PM

Posted 21 July 2006 - 01:32 AM

Hi, Sam
i followed your instructions for the scan
and alot of spyware had been found and a trojan

,Thanks

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:23:25 PM 21/07/2006

+ Scan result:



HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{702EA91C-1ACF-4772-8078-18F2B2EE1031} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1765743649-2001210150-1454901144-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{702EA91C-1ACF-4772-8078-18F2B2EE1031} -> Adware.Generic : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\yaywxvs.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
:mozilla.166:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.217:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.232:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.233:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.234:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.235:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.236:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.237:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.238:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.239:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.240:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.241:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.242:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.243:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.244:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.245:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.246:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.247:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.248:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.249:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.250:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.251:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.252:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.253:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.254:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.255:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.256:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.257:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.258:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.259:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.260:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.261:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.262:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.263:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.264:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.265:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.266:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.267:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.268:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.269:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.270:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.271:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.272:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.273:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.274:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.275:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.276:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.277:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.278:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.279:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.280:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.281:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.520:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.620:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Nathan Guo\Cookies\nathan guo@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.595:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.872:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.874:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.357:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.358:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.359:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.360:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.361:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.752:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
:mozilla.753:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
:mozilla.342:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.343:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.344:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.345:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.346:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.347:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.282:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.594:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Bfast : Cleaned with backup (quarantined).
:mozilla.599:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
:mozilla.306:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.307:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.308:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.316:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.304:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.305:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.309:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.310:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.311:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.312:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.313:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.766:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Centrport : Cleaned with backup (quarantined).
:mozilla.767:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Centrport : Cleaned with backup (quarantined).
:mozilla.616:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Clickbank : Cleaned with backup (quarantined).
:mozilla.679:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Clickhype : Cleaned with backup (quarantined).
:mozilla.115:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.116:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.117:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.120:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.487:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.488:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.54:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.625:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.626:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.627:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.362:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.363:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.364:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.426:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.427:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.428:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.182:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.183:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.185:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.186:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.187:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.188:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.112:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.137:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.403:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.578:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.617:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.16:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.17:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.18:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.19:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.501:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.502:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.503:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.504:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.505:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.506:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.507:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.508:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.509:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.510:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.511:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.512:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.513:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.837:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.839:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.843:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.118:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
:mozilla.119:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
:mozilla.20:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.21:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.22:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.23:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.666:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.667:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.668:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.669:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.697:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.698:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.699:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.798:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.799:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.800:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.801:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.802:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.675:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
:mozilla.676:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
:mozilla.47:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.48:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.49:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.50:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.51:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.52:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.53:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.857:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup (quarantined).
:mozilla.858:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup (quarantined).
:mozilla.827:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Smartadserver : Cleaned with backup (quarantined).
:mozilla.828:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Smartadserver : Cleaned with backup (quarantined).
:mozilla.829:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Smartadserver : Cleaned with backup (quarantined).
:mozilla.168:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Spylog : Cleaned with backup (quarantined).
:mozilla.100:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.65:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.66:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.67:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.68:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.69:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.70:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.71:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.72:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.73:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.74:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.75:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.76:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.77:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.78:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.79:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.80:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.81:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.82:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.83:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.84:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.85:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.86:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.87:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.88:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.89:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.90:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.91:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.92:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.93:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.94:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.95:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.96:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.97:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.98:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.99:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.314:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.315:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.348:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.349:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.350:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.351:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.352:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.353:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.354:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.538:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Trafic : Cleaned with backup (quarantined).
:mozilla.299:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.135:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
:mozilla.165:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined).
:mozilla.177:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.178:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.179:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.180:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.181:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.648:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.649:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.650:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win18.tmp.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win1F.tmp.exe -> Trojan.Pakes : Cleaned with backup (quarantined).


::Report end

Logfile of HijackThis v1.99.1
Scan saved at 4:30:43 PM, on 21/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\program files\valve\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Gigabyte\Gigabyte GN-WPKG Wireless PCI Adapter SoftAP\Installer\WINXP\RaConfig2500.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\12Ghosts\12popup.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\DOCUME~1\NATHAN~1\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mppdqxyhkjut.com/Y8RWbLskUTAF80...4Vn0pZ5cgK.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: (no name) - {CC4EFC06-F87D-913F-38FF-6EE7E6D0F95A} - blank
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Show Love Atom Amok] C:\Documents and Settings\All Users\Application Data\dumbliveshowlove\Support Mpeg.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

#4 memnark

memnark
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:58 PM

Posted 21 July 2006 - 01:49 AM

I Dont know why but im still getting a message from Mcafee
say i recieving pups and trojan that canot be cleaned or quarantined

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:58 PM

Posted 21 July 2006 - 04:12 PM

Your hijackthis log was cut off. Please post a new one.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 memnark

memnark
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:58 PM

Posted 22 July 2006 - 08:34 PM

Logfile of HijackThis v1.99.1
Scan saved at 11:30:59 AM, on 23/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Gigabyte\Gigabyte GN-WPKG Wireless PCI Adapter SoftAP\Installer\WINXP\RaConfig2500.exe
C:\Program Files\12Ghosts\12popup.exe
C:\Documents and Settings\Nathan Guo\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mppdqxyhkjut.com/Y8RWbLskUTAF80...4Vn0pZ5cgK.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: (no name) - {CC4EFC06-F87D-913F-38FF-6EE7E6D0F95A} - blank (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Show Love Atom Amok] C:\Documents and Settings\All Users\Application Data\dumbliveshowlove\Support Mpeg.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MessengerPlus3] "\" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: 12Ghosts Popup-Killer.lnk = C:\Program Files\12Ghosts\12popup.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GN-WPKG Utility.lnk = C:\Program Files\Gigabyte\Gigabyte GN-WPKG Wireless PCI Adapter SoftAP\Installer\WINXP\RaConfig2500.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winhab32 - C:\WINDOWS\SYSTEM32\winhab32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:58 PM

Posted 22 July 2006 - 09:16 PM

You have a program called Messenger Plus. It has installed a LOP infection on your computer.
Please click Start -> Control Panel -> Add/Remove Programs and uninstall these programs:

Messenger Plus


===========


Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mppdqxyhkjut.com/Y8RWbLskUTAF80...4Vn0pZ5cgK.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O20 - Winlogon Notify: winhab32 - C:\WINDOWS\SYSTEM32\winhab32.dll



===========


Delete this file.

C:\WINDOWS\SYSTEM32\winhab32.dll


===========


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.



===========


Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 memnark

memnark
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:58 PM

Posted 22 July 2006 - 11:08 PM

Hey, Sam
I couldnt find messenger plus on the add/remove programs list
so i searched for it and deleted the file, Im just wondering
would that help or do i need to somehow unistall it properly?
-------------------------------------------------------------
Winhab32.dll could not be removed manually when i found the file
and pressed delete and said it was protected and yeah,

i keep on getting these notices from McaFee

File:srvnpw[1].exe
Trojan Name:Generic Downloader.ab
File Path: C:Documents and Settings/Nath
Status: Cannot be cleaned

Vertify that the file is not write-protected and try again.

but in image i have not figured out how to add image yet

And is seems each time i scan ewido Pakes Trojan is always on that list i keep on getting it
i want to find out was sorce is it coming from

If worst comes to worse would i need to fromat the computer?

,Thanks

Edited by memnark, 23 July 2006 - 03:26 AM.


#9 memnark

memnark
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:58 PM

Posted 22 July 2006 - 11:26 PM

THis Is the panda-active scan

Incident Status Location

Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt[.maxserving.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt[.realmedia.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt[.apmebf.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt[ad.sensismediasmart.com.au/]
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt[.tickle.com/]
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt[.rn11.com/]
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt[www.advnt01.com/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt[.bravenet.com/]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt[.888.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt[.gostats.com/]
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\Temp\win1DB.tmp.exe
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\Temp\win427.tmp.exe

Logfile of HijackThis v1.99.1
Scan saved at 2:23:29 PM, on 23/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Gigabyte\Gigabyte GN-WPKG Wireless PCI Adapter SoftAP\Installer\WINXP\RaConfig2500.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\12Ghosts\12popup.exe
C:\Documents and Settings\Nathan Guo\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: (no name) - {CC4EFC06-F87D-913F-38FF-6EE7E6D0F95A} - blank (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Show Love Atom Amok] C:\Documents and Settings\All Users\Application Data\dumbliveshowlove\Support Mpeg.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MessengerPlus3] "\" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: 12Ghosts Popup-Killer.lnk = C:\Program Files\12Ghosts\12popup.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GN-WPKG Utility.lnk = C:\Program Files\Gigabyte\Gigabyte GN-WPKG Wireless PCI Adapter SoftAP\Installer\WINXP\RaConfig2500.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#10 memnark

memnark
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:58 PM

Posted 23 July 2006 - 03:27 AM

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:16:27 PM 23/07/2006

+ Scan result:



:mozilla.13:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.15:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.20:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.21:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.22:C:\Documents and Settings\Nathan Guo\Application Data\Mozilla\Firefox\Profiles\x5na4rf7.Default User\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win65C.tmp.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win66A.tmp.exe -> Trojan.Pakes : Cleaned with backup (quarantined).


::Report end

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:58 PM

Posted 23 July 2006 - 01:34 PM

Oh no. We're almost there. Don't even think about a format right now.

Download KillBox and unzip it to your desktop.

Open Killbox and select the Delete on reboot option.
Copy and paste the following file to the field labeled "Full path of file to delete"

C:\WINDOWS\SYSTEM32\winhab32.dll

Press the Delete button (the button that looks like a red circle with a white X in it).
A first dialog box will ask if you want to delete the file on reboot, press the YES button.
A second dialog box will ask you if you want to REBOOT now. Press the YES button.

Your computer will reboot.


==============


Open notepad and copy and paste this text in it:

if exist %systemdrive%\look.txt del %systemdrive%\look.txt
cd\
cd %appdata%
dir /x >> %systemdrive%\look.txt
cd %allusersprofile%\Application Data
dir /x >> %systemdrive%\look.txt
cd C:\Program Files
dir /x >> %systemdrive%\look.txt
dir %Windir%\tasks /a:h >> C:\look.txt
start notepad %systemdrive%\look.txt

Save this as look.bat , choose to save it as *all files and place it on your desktop.
Doubleclick look.bat and post the content of the txtfile you get in your next reply together with a new hijackthislog.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 memnark

memnark
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:58 PM

Posted 24 July 2006 - 04:18 AM

This is the look file

Volume in drive C has no label.
Volume Serial Number is DCAC-132E

Directory of C:\Documents and Settings\Nathan Guo\Application Data

25/10/2005 08:48 PM <DIR> BITTOR~1 .bittorrent
07/07/2005 11:45 PM <DIR> ACCLAI~1 Acclaim Entertainment
19/07/2006 11:26 PM <DIR> Adobe
04/09/2005 11:04 AM 1,059 AdobeDLM.log
10/10/2005 07:25 AM <DIR> AdobeUM
01/12/2005 09:41 PM <DIR> APPLEC~1 Apple Computer
01/11/2005 10:19 PM <DIR> Creative
04/08/2005 08:45 PM <DIR> CYBERL~1 CyberLink
05/10/2005 06:10 PM <DIR> Dev-Cpp
03/08/2005 03:40 PM 0 dm.ini
12/07/2005 03:29 PM <DIR> FotoWire
17/07/2005 06:45 PM <DIR> Google
13/10/2005 07:26 PM <DIR> Help
22/06/2005 02:04 AM <DIR> IDENTI~1 Identities
26/12/2005 03:47 PM <DIR> Ipswitch
03/01/2006 11:14 AM <DIR> Jasc
07/01/2006 02:24 PM <DIR> Lavasoft
29/06/2005 08:50 PM <DIR> LEADER~1 Leadertech
10/04/2006 06:26 PM <DIR> LIONHE~1 Lionhead Studios
12/07/2005 09:09 PM <DIR> Logitech
13/11/2005 08:01 AM <DIR> MACROM~1 Macromedia
30/06/2005 09:00 AM <DIR> MCAFEE~1.COM McAfee.com Personal Firewall
30/06/2005 09:06 PM <DIR> Mozilla
20/05/2006 06:04 PM <DIR> Real
29/06/2005 08:51 PM <DIR> Sonic
22/06/2005 02:29 AM <DIR> Sun
29/06/2005 04:47 PM <DIR> Template
28/12/2005 02:18 PM <DIR> Ventrilo
29/06/2006 03:59 PM <DIR> vlc
23/11/2005 06:12 PM <DIR> Webroot
17/11/2005 07:08 PM <DIR> Xfire
2 File(s) 1,059 bytes
29 Dir(s) 77,344,665,600 bytes free
Volume in drive C has no label.
Volume Serial Number is DCAC-132E

Directory of C:\Documents and Settings\All Users\Application Data

19/07/2006 11:36 PM <DIR> Adobe
06/11/2005 12:54 PM <DIR> APPLEC~1 Apple Computer
14/10/2005 07:29 PM <DIR> DUMBLI~1 dumbliveshowlove
22/06/2005 02:35 AM <DIR> INSTAL~1 InstallShield
26/12/2005 03:47 PM <DIR> Ipswitch
10/04/2006 06:21 PM <DIR> LIONHE~1 Lionhead Studios
11/11/2005 06:56 PM <DIR> MACROM~1 Macromedia
14/11/2005 09:24 PM <DIR> MACROV~1 Macrovision
29/06/2005 04:19 PM <DIR> McAfee.com
13/07/2006 11:43 PM <DIR> MCAFEE~1.COM McAfee.com Personal Firewall
19/08/2005 08:45 PM <DIR> MESSEN~1 Messenger Plus!
24/10/2005 12:34 AM <DIR> NVIEW_~1 nView_Profiles
03/07/2006 05:24 PM 1,783 QTSBAN~1 QTSBandwidthCache
01/07/2005 02:07 PM <DIR> QUICKT~1 QuickTime
22/06/2005 02:04 AM <DIR> SBSI
25/09/2005 11:20 PM <DIR> Trymedia
19/04/2006 11:41 PM <DIR> VIEWPO~1 Viewpoint
06/08/2005 12:29 PM <DIR> WINDOW~1 Windows Genuine Advantage
1 File(s) 1,783 bytes
17 Dir(s) 77,344,665,600 bytes free
Volume in drive C has no label.
Volume Serial Number is DCAC-132E

Directory of C:\Program Files

23/07/2006 01:58 PM <DIR> .
23/07/2006 01:58 PM <DIR> ..
23/07/2006 01:48 PM <DIR> 12Ghosts
04/12/2005 03:54 PM <DIR> 3ivx
29/06/2005 04:36 PM <DIR> ABBYYF~1.0 ABBYY FineReader 6.0
14/11/2005 09:23 PM <DIR> Adobe
07/08/2005 05:59 PM <DIR> ALIENG~1 AlienGUIse
30/12/2005 10:13 PM <DIR> AMERIC~1 America's Army
29/06/2006 03:53 PM <DIR> AVISYN~1.5 AviSynth 2.5
06/07/2005 06:18 PM <DIR> BETHES~1 Bethesda Softworks
22/06/2005 02:33 AM <DIR> BigPond
26/04/2006 01:08 AM <DIR> BitComet
25/10/2005 08:48 PM <DIR> BITTOR~1 BitTorrent
22/06/2005 02:31 AM <DIR> Broadcom
22/03/2006 02:49 PM <DIR> COMMON~1 Common Files
22/06/2005 02:05 AM <DIR> COMPLU~1 ComPlus Applications
22/06/2005 02:32 AM <DIR> Creative
22/06/2005 02:32 AM <DIR> CYBERL~1 CyberLink
11/08/2005 11:18 PM <DIR> D'ACCO~1 D'Accord Music Software
25/10/2005 07:43 PM <DIR> D-Tools
22/06/2005 02:34 AM <DIR> Dell
15/10/2005 07:45 PM <DIR> DeusEx
12/07/2005 03:33 PM <DIR> directx
17/07/2005 09:43 PM <DIR> DivX
28/09/2005 08:14 PM <DIR> DVDDEC~1 DVD Decrypter
10/04/2006 06:12 PM <DIR> EAGAME~1 EA GAMES
07/01/2006 11:47 PM <DIR> ELCOMS~1 ElcomSoft
24/07/2006 07:03 PM <DIR> EWIDOA~1.0 ewido anti-spyware 4.0
26/01/2006 09:26 AM <DIR> EXECUT~1 Executive Software
24/10/2005 07:32 AM <DIR> FUTURE~1 Futuremark
08/11/2005 07:03 AM <DIR> Gabest
03/01/2006 07:58 PM <DIR> GAMESP~1 GameSpy Arcade
04/01/2006 09:14 PM <DIR> Gigabyte
30/09/2005 11:15 PM <DIR> GIMP-2.0
17/07/2005 06:45 PM <DIR> Google
10/06/2006 11:33 AM 444,602,057 GOONZU~1.EXE goonzuengsetup.exe
21/12/2005 11:08 AM <DIR> GUITAR~1 Guitar Pro 5
01/04/2006 12:26 PM <DIR> Hamachi
04/11/2005 11:16 PM <DIR> IDSOFT~1 id Software
22/06/2005 02:31 AM <DIR> Intel
07/01/2006 11:37 PM <DIR> Intelore
23/07/2006 01:53 PM <DIR> INTERN~1 Internet Explorer
30/06/2005 11:19 PM <DIR> iPod
01/01/2006 07:15 PM <DIR> IRFANV~1 IrfanView
23/07/2006 01:53 PM <DIR> iTunes
02/01/2006 12:07 AM <DIR> JASCSO~1 Jasc Software Inc
24/03/2006 03:00 PM <DIR> Java
13/11/2005 02:12 PM <DIR> Lavalys
07/01/2006 02:24 PM <DIR> Lavasoft
15/01/2006 03:02 PM <DIR> LimeWire
10/04/2006 06:21 PM <DIR> LIONHE~1 Lionhead Studios Ltd
26/12/2005 01:51 AM <DIR> LITEXM~1 LitexMedia
12/07/2005 09:06 PM <DIR> Logitech
03/01/2006 08:00 PM <DIR> LUCASA~1 LucasArts
11/11/2005 06:56 PM <DIR> MACROM~1 Macromedia
24/10/2005 05:01 PM <DIR> MadOnion.com
12/08/2005 04:18 PM <DIR> MAIET
05/07/2005 11:45 PM <DIR> MATRIX~1 Matrix_ks
25/09/2005 08:59 PM <DIR> Maxis
02/07/2005 09:27 AM <DIR> McAfee.com
23/07/2006 02:01 PM <DIR> MESSEN~1 Messenger
29/06/2005 09:02 PM <DIR> MI3AA1~1 Microsoft ActiveSync
11/07/2006 12:20 AM <DIR> MIAF83~1 Microsoft AntiSpyware
22/06/2005 02:05 AM <DIR> MICROS~1 microsoft frontpage
03/01/2006 07:06 PM <DIR> MI9A48~1 Microsoft Games
29/06/2005 09:02 PM <DIR> MICROS~3 Microsoft Office
05/10/2005 06:11 PM <DIR> MICROS~4 Microsoft Visual Studio
29/06/2005 09:02 PM <DIR> MICROS~2 Microsoft Works
29/06/2005 09:01 PM <DIR> MICROS~1.NET Microsoft.NET
05/12/2005 09:24 PM <DIR> MOBILE~1 Mobile Action
22/06/2005 02:31 AM <DIR> MODEMH~1 Modem Helper
22/06/2005 02:31 AM <DIR> MODEMO~1 Modem On Hold
29/08/2005 05:44 PM <DIR> MOUNT&~1 Mount&Blade
22/06/2005 02:05 AM <DIR> MOVIEM~1 Movie Maker
24/07/2006 07:11 PM <DIR> MOZILL~1 Mozilla Firefox
31/01/2006 12:39 PM <DIR> MSN
22/06/2005 02:05 AM <DIR> MSNGAM~1 MSN Gaming Zone
23/07/2006 02:04 PM <DIR> MSNMES~1 MSN Messenger
12/07/2005 04:21 PM <DIR> MSXML4~1.0 MSXML 4.0
27/06/2006 07:32 PM <DIR> NDOORS
22/06/2005 02:05 AM <DIR> NETMEE~1 NetMeeting
18/12/2005 02:53 PM <DIR> nfsmwdem
24/07/2005 12:54 AM 1,035 nwconfig.ini
24/07/2005 01:03 AM 631 NWNPLA~1.INI nwnplayer.ini
22/06/2005 02:05 AM <DIR> ONLINE~1 Online Services
15/04/2006 08:16 PM <DIR> OUTLOO~1 Outlook Express
11/07/2006 01:01 PM <DIR> PEERGU~1 PeerGuardian2
24/08/2005 08:17 PM <DIR> POWERT~1 Power Tab Software
23/07/2006 02:08 PM <DIR> QUICKT~1 QuickTime
22/06/2005 02:33 AM <DIR> Real
22/03/2006 02:50 PM <DIR> REDSTO~1 Red Storm Entertainment
12/06/2006 05:45 PM <DIR> REGIST~1 Registry Mechanic
26/12/2005 03:42 PM <DIR> ROCKST~1 Rockstar Games
26/12/2005 01:16 AM <DIR> Samsung
18/12/2005 03:43 PM <DIR> Samurize
30/06/2006 08:33 AM <DIR> SMARTP~1 Smart Projects
26/06/2006 09:47 PM <DIR> softnyx
31/08/2005 07:45 PM <DIR> Sonic
23/07/2006 02:08 PM <DIR> SPYWAR~2 Spyware Doctor
09/07/2005 07:27 PM <DIR> SPYWAR~1 Spyware Nuker 2004
26/09/2005 04:17 PM <DIR> SQUARE~1 Square Soft, Inc
04/12/2005 04:41 PM <DIR> Stardock
01/02/2006 04:41 PM <DIR> UBISOF~1 Ubi Soft
01/02/2006 04:34 PM <DIR> ubi.com
22/03/2006 02:54 PM <DIR> Ubisoft
29/06/2005 05:14 PM <DIR> Valve
28/12/2005 02:13 PM <DIR> Ventrilo
29/06/2006 03:57 PM <DIR> VideoLAN
29/06/2006 03:53 PM <DIR> VIDEOR~1 VideoraiPodConverter
22/06/2005 02:33 AM <DIR> VIEWPO~1 Viewpoint
03/06/2006 03:26 PM <DIR> WARCRA~1 Warcraft III
23/11/2005 06:12 PM <DIR> Webroot
26/02/2006 08:23 AM <DIR> Winamp
23/07/2006 02:15 PM <DIR> WIFD1F~1 Windows Defender
12/07/2005 03:28 PM <DIR> WINDOW~4 Windows Media Components
23/07/2006 02:15 PM <DIR> WINDOW~2 Windows Media Player
22/06/2005 02:05 AM <DIR> WINDOW~1 Windows NT
23/07/2006 02:15 PM <DIR> WinRAR
15/07/2006 02:00 PM <DIR> WORLDO~1 World of Warcraft
23/07/2006 02:15 PM <DIR> WS_FTP~1 WS_FTP Pro
22/06/2005 02:05 AM <DIR> XEROX
11/12/2005 09:05 PM <DIR> XIMENS~1 Ximensions PP Starfield
3 File(s) 444,603,723 bytes
119 Dir(s) 77,344,653,312 bytes free
Volume in drive C has no label.
Volume Serial Number is DCAC-132E

Directory of C:\WINDOWS\tasks

24/07/2006 07:00 PM 284 AFE386F3918437BB.job
04/08/2004 07:00 AM 65 DESKTOP.INI
24/07/2006 07:11 PM 330 MP Scheduled Scan.job
24/07/2006 07:08 PM 6 SA.DAT
4 File(s) 685 bytes
0 Dir(s) 77,344,657,408 bytes free

The HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 7:16:36 PM, on 24/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Gigabyte\Gigabyte GN-WPKG Wireless PCI Adapter SoftAP\Installer\WINXP\RaConfig2500.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\12Ghosts\12popup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Nathan Guo\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: (no name) - {CC4EFC06-F87D-913F-38FF-6EE7E6D0F95A} - blank (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Show Love Atom Amok] C:\Documents and Settings\All Users\Application Data\dumbliveshowlove\Support Mpeg.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MessengerPlus3] "\" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: 12Ghosts Popup-Killer.lnk = C:\Program Files\12Ghosts\12popup.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GN-WPKG Utility.lnk = C:\Program Files\Gigabyte\Gigabyte GN-WPKG Wireless PCI Adapter SoftAP\Installer\WINXP\RaConfig2500.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winhab32 - winhab32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

,Thanks :thumbsup:

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:58 PM

Posted 24 July 2006 - 04:45 PM

Open notepad and copy and paste this text in it:
%systemdrive%
cd C:\WINDOWS\Tasks
attrib -r -s -h AFE386F3918437BB.job
del AFE386F3918437BB.job

Save this as remjob.bat , choose to save it as *all files and place it on your desktop.

Doubleclick on remjob.bat. A doswindow will open and close again, this is normal.


===============


Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: (no name) - {CC4EFC06-F87D-913F-38FF-6EE7E6D0F95A} - blank (file missing)
O4 - HKLM\..\Run: [Show Love Atom Amok] C:\Documents and Settings\All Users\Application Data\dumbliveshowlove\Support Mpeg.exe
O20 - Winlogon Notify: winhab32 - winhab32.dll (file missing)



===============


Uninstall any of these programs that are listed:

Viewpoint Manager
Viewpoint Media Player
Viewpoint Toolbar



===============


Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
  • If you have trouble getting into Safe mode go here for more info.
Once in safe mode, delete these folders.

C:\Documents and Settings\All Users\Application Data\dumbliveshowlove
C:\Documents and Settings\All Users\Application Data\Messenger Plus!
C:\Documents and Settings\All Users\Application Data\Viewpoint




Run ATF Cleaner once again to clean out your temp files.


================


Reboot back to normal mode and post a new hijackthis log.
Let me know how things are working for you now.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 memnark

memnark
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:58 PM

Posted 25 July 2006 - 01:03 AM

Hello The computer been good with nothng saying trojans being received
after i deleted winhab32.dll,

Any recomendations for me to keep my computer
safe ? :thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 3:59:05 PM, on 25/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Gigabyte\Gigabyte GN-WPKG Wireless PCI Adapter SoftAP\Installer\WINXP\RaConfig2500.exe
C:\Program Files\12Ghosts\12popup.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Nathan Guo\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MessengerPlus3] "\" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: 12Ghosts Popup-Killer.lnk = C:\Program Files\12Ghosts\12popup.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GN-WPKG Utility.lnk = C:\Program Files\Gigabyte\Gigabyte GN-WPKG Wireless PCI Adapter SoftAP\Installer\WINXP\RaConfig2500.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:58 PM

Posted 25 July 2006 - 07:41 AM

You can fix these lines with Hijackthis to stop these programs from running automatically when you start up your computer.

O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MessengerPlus3] "\" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe




Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :flowers:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users