Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help!


  • This topic is locked This topic is locked
8 replies to this topic

#1 debrao

debrao

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 24 July 2006 - 03:09 PM

Here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 3:02:39 PM, on 7/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTouch\iTouch.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\AOL\1105651775\ee\AOLSoftware.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program files\common files\aol\1105651775\ee\services\antiSpywareApp\ver2_0_27_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1105651775\ee\aolsoftware.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\TEMP\winD41.tmp.exe
C:\DOCUME~1\DEBRAO~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", ""); (C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\prefs.js)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\iTouch\iTouch.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1105651775\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AS00_Gear311T] C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe -hide
O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [VSL13.exe] C:\WINDOWS\system32\VSL13.exe
O4 - HKCU\..\Run: [1201.exe] C:\Documents and Settings\Debra Orton\Application Data\System Restore\1201.exe
O4 - HKCU\..\Run: [ssqbn.exe] C:\WINDOWS\system32\ssqbn.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00000000-0000-0000-0000-100005000004} - http://code.jcash.biz/l/134b13c3553454ad19...0ddaf677_13.exe
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\k480lelm1hqa.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winepi32 - C:\WINDOWS\SYSTEM32\winepi32.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thanks in Advance!!

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:13 AM

Posted 25 July 2006 - 05:47 AM

Hello,

First of all, you didn't unzip/extract hijackthis.. and it's still in the tempfolder.
So I strongly advise to unzip/extract hijackthis.zip.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Create a permanent folder and move hijackthis.exe into it. The reason is because hijackthis creates backups and when it's in your temp-folder it can be accidentally deleted.
How do you make a permanent folder:

Click My Computer, then C:\ and then on Program Files.
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.

* Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

C:\WINDOWS\SYSTEM32\winepi32.dll

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok
Your system should reboot now.

After reboot, It is important you don't miss a step and perform

I see you have Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
* Download Brute Force Uninstaller.
Unzip it to a folder of itís own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script
( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.


Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

-------------------------

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Please download, install, and update Ewido anti-spyware
  • Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Then click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close Ewido and reboot!!
* Download Combofix to your desktop.
Doubleclick [b]combo.exe

Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot, it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog and the log from Ewido.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 debrao

debrao
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 25 July 2006 - 09:59 AM

Ok - you said in hijack this to:

Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'


When I choose 'delete a file on reboot', hijack this closes. I don't get an option to enter a file name.

#4 debrao

debrao
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 25 July 2006 - 12:01 PM

I posted my hjt log & one of the instructions I received was to:

open hjt
click config
choose tab 'misc. tools'
choose'delet a file on reboot'
in the field, copy & paste c:\windows\system32\winepi32.dll

everytime i click on 'delete a file on reboot hjt closes. I never get a field to put the file name in.

Any ideas??

#5 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:08:13 PM

Posted 25 July 2006 - 12:15 PM

Hi debrao

I've merged your separate post with this thread. Please keep all related questions on this topic in this thread so that the HJT Tech helping you here has all the information necessary to continue to help you.

You'll also need to be patient and wait for replies.

Regards,
KoanYorel
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:13 AM

Posted 25 July 2006 - 03:50 PM

Hi,

Just proceed with the rest of my steps.. we'll see afterwards what we should do.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 debrao

debrao
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 25 July 2006 - 07:02 PM

combofix log:

Start Time= Tue 07/25/2006 16:48:12.85
Running from: C:\Documents and Settings\Debra Orton\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcbyyv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkji
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon\Settings
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winepi32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{9B35C993-D1F1-4807-A757-B09F1279E792}]
@=""

[HKEY_CLASSES_ROOT\clsid\{9B35C993-D1F1-4807-A757-B09F1279E792}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{9B35C993-D1F1-4807-A757-B09F1279E792}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{9B35C993-D1F1-4807-A757-B09F1279E792}\InprocServer32]
@="C:\\WINDOWS\\system32\\kqdro.dll"
"ThreadingModel"="Apartment"

Granting sedebugprivilege to Administrators ... successful


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-25 16:47:34 2 ( A.... ) "C:\WINDOWS\system32\wintsvcc.exe"
2006-07-25 16:47:32 ( .D... ) "C:\Program Files\?racle"
2006-07-25 16:09:54 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-25 15:02:40 ( .D... ) "C:\Program Files\Common Files\F?nts"
2006-07-25 14:10:44 ( .D... ) "C:\Program Files\HijackThis"
2006-07-25 11:38:58 ( .D... ) "C:\Documents and Settings\Debra Orton\Application Data\?ymantec"
2006-07-25 11:38:52 32206 ( ..SH. ) "C:\Program Files\Common Files\Y1123OU.exe"
2006-07-25 10:26:40 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-07-25 09:55:02 65556 ( A.... ) "C:\WINDOWS\system32\tixfuaiw.exe"
2006-07-25 09:50:12 22 ( A.... ) "C:\Program Files\hijackthis.zip"
2006-07-25 08:54:02 573492 ( ..... ) "C:\WINDOWS\system32\pmkji.dll"
2006-07-25 08:51:28 20992 ( A.... ) "C:\WINDOWS\system32\b99cbd35.exe"
2006-07-25 08:48:44 ( .D... ) "C:\Program Files\Common Files\W?nSxS"
2006-07-25 08:48:28 ( .D... ) "C:\Program Files\Cowabanga"
2006-07-24 15:38:02 ( .D... ) "C:\Documents and Settings\Debra Orton\Application Data\Lavasoft"
2006-07-24 15:37:56 ( .D... ) "C:\Program Files\Lavasoft"
2006-07-24 15:06:32 38412 ( A.... ) "C:\WINDOWS\system32\ssqbn.exe"
2006-07-24 15:06:28 48193 ( A.... ) "C:\WINDOWS\system32\VSL13.exe"
2006-07-24 13:35:06 ( .D... ) "C:\Program Files\Roguescanfix"
2006-07-24 13:19:38 ( .D... ) "C:\Documents and Settings\Debra Orton\Application Data\System Restore"
2006-07-21 15:36:50 15872 ( A.... ) "C:\WINDOWS\system32\winepi32.dll"
2006-07-05 09:01:42 ( .D... ) "C:\Program Files\America Online 9.0c"
2006-07-02 19:21:08 ( .D... ) "C:\Program Files\America Online 9.0b"
2006-06-28 10:07:20 139264 ( A.... ) "C:\WINDOWS\system32\seqff.dll"
2006-06-23 10:22:08 9216 ( A.... ) "C:\WINDOWS\l.dll"
2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-05-31 18:53:34 104008 ( A.... ) "C:\WINDOWS\system32\AOLDial.dll"
2006-05-21 18:10:10 126976 ( A.... ) "C:\WINDOWS\system32\zip.exe"
2006-05-21 18:10:08 53248 ( A.... ) "C:\WINDOWS\system32\process.exe"
2006-05-19 07:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 07:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 07:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-25 15:56 1,073,270,784 C:\hiberfil.sys
2006-07-25 09:55 65,556 C:\WINDOWS\system32\tixfuaiw.exe
2006-07-25 08:53 573,492 C:\WINDOWS\system32\pmkji.dll
2006-07-25 08:51 20,992 C:\WINDOWS\system32\b99cbd35.exe
2006-07-25 08:48 2 C:\WINDOWS\system32\wintsvcc.exe
2006-07-25 08:48 139,264 C:\WINDOWS\system32\seqff.dll
2006-07-24 14:20 73,728 C:\WINDOWS\system32\asuninst.exe
2006-07-24 14:20 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-07-24 13:44 53,248 C:\WINDOWS\system32\process.exe
2006-07-24 13:44 126,976 C:\WINDOWS\system32\zip.exe
2006-07-24 13:19 48,193 C:\WINDOWS\system32\VSL13.exe
2006-07-24 13:19 38,412 C:\WINDOWS\system32\ssqbn.exe
2006-07-21 15:36 15,872 C:\WINDOWS\system32\winepi32.dll
2006-06-23 10:22 9,216 C:\WINDOWS\l.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"zBrowser Launcher"="C:\\Program Files\\iTouch\\iTouch.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"MMTray"="\"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe\""
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mimboot.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1105651775\\ee\\AOLSoftware.exe"
"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"AS00_Gear311T"="C:\\Program Files\\NETGEAR\\WG311TSU\\Utility\\Gear311T.exe -hide"
"zzzHPSETUP"="E:\\Setup.exe"
"NeroCheck"="C:\\WINDOWS\\system32\\\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"Ulead Photo Express Calendar Checker"="C:\\Program Files\\Ulead Systems\\Ulead Photo Express 5 SE\\calcheck.exe"
"Ulead AutoDetector"="C:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.0 SE Basic\\Monitor.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"b99cbd35.exe"="C:\\WINDOWS\\system32\\b99cbd35.exe"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"VSL13.exe"="C:\\WINDOWS\\system32\\VSL13.exe"
"1201.exe"="C:\\Documents and Settings\\Debra Orton\\Application Data\\System Restore\\1201.exe"
"ssqbn.exe"="C:\\WINDOWS\\system32\\ssqbn.exe"
"Crao"="\"C:\\WINDOWS\\ICROSO~1.NET\\winspool.exe\" -vt ndrv"
"Epx"="C:\\PROGRA~1\\COMMON~1\\WNSXS~1\\HKDSK~1.EXE"
"b99cbd35.exe"="C:\\Documents and Settings\\Debra Orton\\Local Settings\\Application Data\\b99cbd35.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000
"NoActiveDesktopChanges"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Messenger\\telyh.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Windows NT\\ryjofuw.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,60,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"



Contents of the 'Scheduled Tasks' folder

Completion time: Tue 07/25/2006 18:52:28.98
ComboFix ver 06.07.15 - This logfile is located at C:\ComboFix.txt

EWIDO:

--------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:42:13 PM 7/25/2006

+ Scan result:



C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP615\A0104469.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP615\A0104507.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP615\A0104512.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0104527.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0104564.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0104577.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0104592.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0104684.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0104694.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0105197.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0105211.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0105224.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cqmodem.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\jtr2079oe.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP619\A0105308.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP619\A0105367.EXE -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP619\A0105391.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ddcbyyv.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\hggefdb.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\pmkji.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP619\A0105486.exe -> Downloader.Adload.cu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP619\A0105485.exe -> Downloader.Adload.cy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP614\A0104406.exe -> Downloader.Adload.de : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP619\A0105287.exe -> Downloader.Adload.de : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP619\A0105489.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\WINDOWS\__delete_on_reboot__g_6_6_5_9_2_8_1_._d_l_l_ -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\WINDOWS\g178890.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
[2504] C:\WINDOWS\g6659281.dll -> Downloader.Delf.aeo : Error during cleaning.
[2832] C:\WINDOWS\g6659281.dll -> Downloader.Delf.aeo : Error during cleaning.
[328] C:\WINDOWS\g6659281.dll -> Downloader.Delf.aeo : Error during cleaning.
C:\Program Files\Common Files\Y1123OA.exe -> Downloader.PurityScan.cq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0104589.exe -> Downloader.Small.ajc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0104695.exe -> Downloader.Small.ajc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0104839.exe -> Downloader.Small.ajc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0105208.exe -> Downloader.Small.ajc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0105220.exe -> Downloader.Small.ajc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0105257.exe -> Downloader.Small.ajc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP619\A0105279.exe -> Downloader.Small.ajc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP619\A0105301.exe -> Downloader.Small.ajc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP619\A0105320.exe -> Downloader.Small.ajc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP619\A0105323.exe -> Downloader.Small.ajc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP619\A0105336.exe -> Downloader.Small.ajc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP619\A0105362.exe -> Downloader.Small.ajc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP619\A0105379.exe -> Downloader.Small.ajc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP619\A0105415.exe -> Downloader.Small.ajc : Cleaned with backup (quarantined).
C:\WINDOWS\epcvmfd.dll -> Downloader.Small.ajc : Cleaned with backup (quarantined).
C:\Program Files\ComPlus Applications\rydytih.dll -> Downloader.Small.ctp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0104604.dll -> Downloader.Small.ctp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0105204.dll -> Downloader.Small.ctp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0105217.dll -> Downloader.Small.ctp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0105256.dll -> Downloader.Small.ctp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP619\A0105274.dll -> Downloader.Small.ctp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP619\A0105298.dll -> Downloader.Small.ctp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP619\A0105322.dll -> Downloader.Small.ctp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP619\A0105333.dll -> Downloader.Small.ctp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP619\A0105361.dll -> Downloader.Small.ctp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP619\A0105378.dll -> Downloader.Small.ctp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP619\A0105413.dll -> Downloader.Small.ctp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0104606.exe -> Downloader.Zlob.zx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0104607.exe -> Downloader.Zlob.zx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP614\A0104409.dll -> Downloader.Zlob.zy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0104608.exe -> Downloader.Zlob.zy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0104609.exe -> Downloader.Zlob.zy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0104610.dll -> Downloader.Zlob.zy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0104611.dll -> Downloader.Zlob.zy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0104612.dll -> Downloader.Zlob.zy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0104613.dll -> Downloader.Zlob.zy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0104614.dll -> Downloader.Zlob.zy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0104615.dll -> Downloader.Zlob.zy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0104616.dll -> Downloader.Zlob.zy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0104617.dll -> Downloader.Zlob.zy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0104618.dll -> Downloader.Zlob.zy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0104619.dll -> Downloader.Zlob.zy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0104620.dll -> Downloader.Zlob.zy : Cleaned with backup (quarantined).
C:\WINDOWS\v1201.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP619\A0105414.exe -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP619\A0105285.exe -> Hijacker.VB.fg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP619\A0105286.exe -> Hijacker.VB.fg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP619\A0105288.exe -> Hijacker.VB.fg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP619\A0105487.exe -> Hijacker.VB.nh : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA6P_0001_N68M2301NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWA6P_0001_N68M2301NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWA6P_0001_N68M2301NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWA6P_0001_N68M2301NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UWA6P_0001_N68M2301NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\UWA6P_0001_N68M2301NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N68M2301NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{65CB372D-E45C-438A-8D1D-62BA9819FA04}\RP618\A0104579.DLL -> Not-A-Virus.Hoax.Win32.Renos.dw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\components\flx5.dll -> Not-A-Virus.Hoax.Win32.Renos.dw : Cleaned with backup (quarantined).
:mozilla.10:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.11:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.12:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.13:C:\Documents and Settings\Debra Orton\Application Data\AOL Communicator\ac_mail.gkp\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.13:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.14:C:\Documents and Settings\Debra Orton\Application Data\AOL Communicator\ac_mail.gkp\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.14:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.15:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.47:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.48:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.6:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.6:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.7:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.8:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.8:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.9:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.9:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@cybersoftwaresolutions.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@harpo.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@highbeam.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@lawdepotcom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@marthastewart.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@redcats.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@redcats.122.2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@stubhub.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@imgserv.adbutler[1].txt -> TrackingCookie.Adbutler : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
:mozilla.29:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.30:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.31:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.19:C:\Documents and Settings\Debra Orton\Application Data\AOL Communicator\ac_mail.gkp\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.21:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.113:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@www.burstbeacon[3].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@www.burstbeacon[4].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
:mozilla.24:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.25:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@burstnet[4].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@as.casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.34:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.Centrport : Cleaned with backup (quarantined).
:mozilla.106:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.107:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.36:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.37:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.66:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.67:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@com[2].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
:mozilla.13:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@a-1shz2prbmdj6wvny-1sez2pra2dj6wfkiuiczgbow-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@a-1shz2prbmdj6wvny-1sez2pra2dj6wjny-1oazwhog2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@e-2dj6wfmyqmajego.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@e-2dj6wgk4klazgbq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@e-2dj6wgk4klazgbq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@e-2dj6wjk4epazmaq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@e-2dj6wjk4gmdzecq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@e-2dj6wjk4gmdzecq.stats.esomniture[3].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@e-2dj6wjk4ohajmdp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@e-2dj6wjk4ohajmdp.stats.esomniture[3].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@e-2dj6wjkoepczcfo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@e-2dj6wjkosic5agp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@e-2dj6wjkospdjedp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@e-2dj6wjkowgdpkcp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@e-2dj6wjkowndpobo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@e-2dj6wjkycgcjgdp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@e-2dj6wjkyejdpilq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@e-2dj6wjkygjdjwgq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@e-2dj6wjkyuhajgko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@e-2dj6wjl4kncpsgp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@e-2dj6wjlioidpcko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@e-2dj6wjnyclcpcho.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@y-1shz2prbmdj6wvny-1sez2pra2dj6wfk4ghczsfoa6dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkoknc5aepqidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkyopczofpgmdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4akdjwcpamdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4klajeaoa2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4uldjmgpqmdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkocgajifqqsdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyehdjkepgsdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkygjazwaowydj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@y-1shz2prbmdj6wvny-1sez2pra2dj6wjliendzaapgsdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@y-1shz2prbmdj6wvny-1sez2pra2dj6wjloaoazeeqasdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@y-1shz2prbmdj6wvny-1sez2pra2dj6wjloclcpskpgmdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlokoazifoawdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmiaidzogpwidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmycidzmepqidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnysgc5ahpwwdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.59:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@goldenpalace[2].txt -> TrackingCookie.Goldenpalace : Cleaned with backup (quarantined).
:mozilla.115:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.116:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.117:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@sales.liveperson[3].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.39:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup (quarantined).
:mozilla.85:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.91:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.76:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.Paycounter : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@paypopup[2].txt -> TrackingCookie.Paypopup : Cleaned with backup (quarantined).
:mozilla.21:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.22:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.23:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.24:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.92:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup (quarantined).
:mozilla.73:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
:mozilla.93:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
:mozilla.42:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.43:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.44:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.45:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.46:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup (quarantined).
:mozilla.33:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.96:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.97:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.98:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.99:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.44:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.45:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.46:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.47:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.48:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.49:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.50:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.51:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.77:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned with backup (quarantined).
:mozilla.20:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@adopt.specificclick[3].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@adopt.specificclick[4].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.100:C:\Documents and Settings\Debra Orton\Application Data\Mozilla\Profiles\default\zz1j54nn.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.32:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.33:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.22:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.23:C:\Documents and Settings\Debra Orton\Application Data\Netscape\NSB\Profiles\s16ybj8d.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Debra Orton\Cookies\debra orton@media.top-banners[1].txt -> TrackingC

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:13 AM

Posted 26 July 2006 - 01:57 AM

Hello,

It looks like you managed to get more infections..

Please perform next steps in the right order!!!

Go to start > controlpanel > software > add/remove programs and uninstall next if present:

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
Cowabanga by OIN
or anything similar with Oin in it.


If OIN not listed, download and run this uninstaller.

Reboot when done! Really important!

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"b99cbd35.exe"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"VSL13.exe"=-
"1201.exe"=-
"ssqbn.exe"=-
"Crao"=-
"Epx"=-
"b99cbd35.exe"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

* Download Killbox.
Click killbox.exe.
Select the option "Delete on reboot".
Click the button: All Files (!important!)
Now it should flash green.

Now copy the next bold part:

C:\Program Files\Common Files\Y1123OU.exe
C:\WINDOWS\system32\tixfuaiw.exe
C:\WINDOWS\system32\b99cbd35.exe
C:\WINDOWS\system32\wintsvcc.exe
C:\WINDOWS\system32\seqff.dll
C:\WINDOWS\system32\VSL13.exe
C:\WINDOWS\l.dll
C:\Program Files\Messenger\telyh.html
C:\Program Files\Windows NT\ryjofuw.html
C:\Documents and Settings\Debra Orton\Local Settings\Application Data\b99cbd35.exe
C:\Documents and Settings\Debra Orton\Application Data\System Restore\1201.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.

Your computer should reboot now.

* Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Uncheck and delete everything you find in there. (except for "My current home page")
Hit ok below > apply in previous window.

Then go to start > run and copy and paste next command in the field:

"C:\Documents and Settings\Debra Orton\Desktop\combofix.exe" /v ddcbyyv pmkji winepi32

Hit enter.
This should start the combofix.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot, it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

Edited by miekiemoes, 26 July 2006 - 01:58 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:13 AM

Posted 01 August 2006 - 05:49 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users