Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Downloader.Generic2.JVQ, Pakes.U and Dialer.28.A
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 09-04-2006, 07:05 PM   #1 (permalink)
Registered User
 
Join Date: Sep 2006
Posts: 7
OS: Windows XP Pro SP2


Downloader.Generic2.JVQ, Pakes.U and Dialer.28.A
AVG Keeps coming up with alerts every few minutes for Pakes.U and Dialer.28.A After running several different virus scans, alerts for Downloader.Generic2.JVQ also come up every so often. I'm pretty sure they are all related, but nothing i could find on google was anyt help in removing them.

Logfile of HijackThis v1.99.1
Scan saved at 01:56:07 AM, on 05/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WService.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\HJT\senor butts.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {30796087-BB6B-4B22-878F-B3C1FB696F67} - C:\WINDOWS\system32\awvvt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1143323537687
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C632C53B-D695-4619-9529-A4F57CD695A5}: NameServer = 192.168.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: awtussr - C:\WINDOWS\SYSTEM32\awtussr.dll
O20 - Winlogon Notify: awvvt - C:\WINDOWS\system32\awvvt.dll
O20 - Winlogon Notify: wineil32 - C:\WINDOWS\SYSTEM32\wineil32.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\Drivers\WTSRV.EXE
Jake5 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 09-05-2006, 10:31 AM   #2 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,740
OS: 2000 Pro; XP Pro; XP Home


Please submit the following file to Jotti File Scan

C:\WINDOWS\SYSTEM32\awtussr.dll

At the top of the window you should see "File to Upload & scan" and a blank box. Copy and paste the red text from above into the box. Then click "submit".

When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" here.


1. Download this file from one of these locations:

http://download.bleepingcomputer.com/sUBs/combofix.exe

http://www.techsupportforum.com/sectools/combofix.exe


* IMPORTANT !!! Place it on your Desktop.


2. Go to Start -> Run and then paste in this single line command & click OK
"%userprofile%\desktop\combofix.exe" /v awvvt wineil32


Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

3. When finished, it shall produce a log for you. Post that log in your next reply with a new HJT log and the jotti scan results.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-05-2006, 10:53 AM   #3 (permalink)
Registered User
 
Join Date: Sep 2006
Posts: 7
OS: Windows XP Pro SP2


That file scan website appears to be down, when i click on the link it says "Error: unable to connect to database. The administrator has already been notified, it is not necessary to contact us."

ComboFix

Jake - 06-09-05 17:54:44.65
ComboFix 06.09.04BT - Running from: C:\Documents and Settings\Jake\desktop

Microsoft Windows XP [Version 5.1.2600]

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\awvvt.dll
C:\WINDOWS\system32\wineil32.dll
C:\WINDOWS\system32\tvvwa.bak1
C:\WINDOWS\system32\tvvwa.ini
C:\WINDOWS\system32\tvvwa.ini2
C:\WINDOWS\system32\tvvwa.tmp


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\{5489E034-0711-2057-0708-05062805002c}
C:\Program Files\ToolBar888


((((((((((((((((((((((((((((((( Files Created from 2006-08-05 to 2006-09-05 ))))))))))))))))))))))))))))))))))


2006-09-05 12:57 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2006-09-05 12:57 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2006-09-05 12:57 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2006-09-05 00:12 40,973 ---hs---- C:\WINDOWS\system32\awtussr.dll
2006-09-04 17:57 40,973 ---hs---- C:\WINDOWS\system32\yayvwtr.dll
2006-09-04 17:26 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe
2006-09-04 17:26 6,020 --a------ C:\clean.bat
2006-09-04 17:26 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-09-04 17:26 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2006-09-04 17:26 38,400 --a------ C:\WINDOWS\system32\moveex.exe
2006-09-04 12:39 180,224 --a------ C:\WINDOWS\system32\nvuaudio.exe
2006-08-29 01:37 72,192 --a------ C:\WINDOWS\unlite3.exe
2006-08-17 20:14 864,256 --a------ C:\WINDOWS\system32\DevIL.dll
2006-08-17 20:14 81,920 --a------ C:\WINDOWS\system32\ILU.dll
2006-08-17 20:14 36,864 --a------ C:\WINDOWS\system32\ILUT.dll
2006-08-17 20:14 161,280 --a------ C:\WINDOWS\system32\fmod.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-05 17:55 -------- d-------- C:\Program Files\Common Files
2006-09-05 17:46 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-05 14:23 -------- d-------- C:\Documents and Settings\Jake\Application Data\uTorrent
2006-09-05 13:08 -------- d-------- C:\Program Files\Armagetron Advanced
2006-09-05 12:59 -------- d-------- C:\Program Files\3DRipperDX
2006-09-05 11:31 4051968 --a------ C:\WINDOWS\system32\logonuiX.exe
2006-09-04 17:26 -------- d-------- C:\Program Files\HaxFix
2006-09-04 15:14 -------- d-------- C:\Program Files\Armadillo Run
2006-09-04 15:06 -------- d-------- C:\Program Files\Webroot
2006-09-04 15:06 -------- d-------- C:\Documents and Settings\Jake\Application Data\Webroot
2006-09-03 01:53 -------- d-------- C:\Program Files\MSN Messenger
2006-09-02 15:36 33952 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2006-09-02 15:30 -------- d-------- C:\Program Files\Human Head Studios
2006-08-31 17:54 -------- d-------- C:\Program Files\Steam
2006-08-30 17:34 -------- d-------- C:\Program Files\Winamp
2006-08-29 01:37 -------- d-------- C:\Program Files\Bradbury
2006-08-29 01:28 -------- d-------- C:\Documents and Settings\Jake\Application Data\SecondLife
2006-08-26 18:18 2828 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2006-08-26 18:14 56 -r-hs---- C:\WINDOWS\system32\C6B8F76B88.sys
2006-08-26 18:14 -------- d-------- C:\Program Files\Toolkit3
2006-08-25 00:14 -------- d-------- C:\Documents and Settings\Jake\Application Data\Inkscape
2006-08-17 23:16 -------- d-------- C:\Program Files\ArtMoney
2006-08-17 20:14 -------- d-------- C:\Program Files\Lugaru
2006-08-17 01:30 -------- d-------- C:\Program Files\Toshiba
2006-08-15 19:35 -------- d-------- C:\Program Files\mIRC
2006-08-14 22:50 -------- d-------- C:\Program Files\GENIUS TABLET
2006-08-12 19:32 -------- d-------- C:\Program Files\FlashFXP
2006-08-12 03:06 777472 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-08-12 03:06 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-08-08 17:35 -------- d-------- C:\Program Files\XMoto
2006-08-06 22:01 -------- d-------- C:\Documents and Settings\Jake\Application Data\Armagetron
2006-08-06 00:57 -------- d-------- C:\Program Files\Second Sight Software
2006-08-04 22:53 -------- d-------- C:\Program Files\Tattoo
2006-08-04 00:24 -------- d-------- C:\Program Files\wings3d_0.98.32a
2006-08-04 00:12 -------- d-------- C:\Program Files\Jed's Half-Life Model Viewer 1.3.5
2006-08-03 16:52 -------- d-------- C:\Program Files\Common Files\element5 Shared
2006-08-03 16:51 -------- d--h----- C:\Program Files\Zero G Registry
2006-08-03 16:50 -------- d-------- C:\Program Files\Pixologic
2006-08-03 02:59 -------- d-------- C:\Program Files\MilkShape 3D 1.7.9
2006-08-01 12:30 -------- dr------- C:\Program Files\Xfire
2006-07-31 18:43 -------- d-------- C:\Documents and Settings\Jake\Application Data\yoclient
2006-07-26 01:12 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-07-23 21:44 -------- d-------- C:\Program Files\MIKSOFT
2006-07-23 17:06 -------- d-------- C:\Program Files\Three Rings Design
2006-07-23 03:05 -------- d-------- C:\Program Files\3gpConvert
2006-07-23 00:07 -------- d-------- C:\Program Files\IVT Corporation
2006-07-22 12:48 -------- d-a------ C:\Program Files\Win Mugen
2006-07-22 01:06 -------- d-------- C:\Program Files\UltraMon
2006-07-22 01:06 -------- d-------- C:\Program Files\Common Files\Realtime Soft
2006-07-22 01:06 -------- d-------- C:\Documents and Settings\Jake\Application Data\Realtime Soft
2006-07-15 20:08 -------- d-------- C:\Program Files\ATI Technologies
2006-07-15 20:00 -------- d-------- C:\Program Files\Bridge Construction Set
2006-07-13 11:14 -------- d-------- C:\Program Files\Souptoys
2006-07-13 11:14 -------- d-------- C:\Documents and Settings\Jake\Application Data\Souptoys
2006-07-11 00:32 -------- d-------- C:\Program Files\GetRight
2006-07-11 00:30 -------- d-------- C:\Program Files\Yahoo!
2006-07-09 16:35 -------- d-------- C:\Program Files\OpenTTD
2006-07-08 12:35 -------- d-------- C:\Program Files\RocketJockey
2006-07-07 17:53 -------- d-------- C:\Documents and Settings\Jake\Application Data\Opera
2006-07-07 16:41 15360 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2006-07-07 16:41 14848 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2006-07-07 16:41 13824 --a------ C:\WINDOWS\system32\drivers\SSFS041A.sys
2006-07-07 16:41 117248 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2006-06-16 14:34 48936 --a------ C:\WINDOWS\system32\sirenacm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"LogonStudio"="\"C:\\Program Files\\WinCustomize\\LogonStudio\\logonstudio.exe\" /RANDOM"
"CoolSwitch"="C:\\WINDOWS\\system32\\taskswitch.exe"
"DAEMON Tools-1033"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"AVG7_CC"="\"C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe\" /STARTUP"
"WService"="WService.EXE"
"UltraMon"="\"C:\\Program Files\\UltraMon\\UltraMon.exe\" /auto"
"BluetoothAuthenticationAgent"="\"rundll32.exe\" bthprops.cpl,,BluetoothAuthenticationAgent"
"SoundMan"="SOUNDMAN.EXE"
"KernelFaultCheck"="%systemroot%\\system32\\dumprep 0 -k"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,77,01,00,00,00,00,00,00,89,03,00,00,d4,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,93,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{D3B3C51E-8D11-4667-85B9-0930F519BED7}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\kdx]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KHost"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\kdx\\KHost.exe -all"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PWRISOVM.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PWRISOVM"
"hkey"="HKLM"
"command"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime Alternative\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"Macromedia Licensing Service"=dword:00000003
"KService"=dword:00000002
"Ati HotKey Poller"=dword:00000002
"Adobe LM Service"=dword:00000003

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtussr

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\cavalry.job

Completion time: 05/09/2006 17:59:05.07
ComboFix.txt


HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 06:01:20 PM, on 05/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
c:\windows\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WService.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\HJT\senor butts.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {D3B3C51E-8D11-4667-85B9-0930F519BED7} - C:\WINDOWS\system32\awtussr.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1143323537687
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C632C53B-D695-4619-9529-A4F57CD695A5}: NameServer = 192.168.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: awtussr - C:\WINDOWS\SYSTEM32\awtussr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\Drivers\WTSRV.EXE
Last edited by Jake5; 09-05-2006 at 11:06 AM.
Jake5 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-05-2006, 11:05 AM   #4 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,740
OS: 2000 Pro; XP Pro; XP Home


this site will do the same thing for us, the procedure is near the same...browse to the file on your system, and upload it for scanning:

http://www.virustotal.com/en/indexf.html
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-05-2006, 11:23 AM   #5 (permalink)
Registered User
 
Join Date: Sep 2006
Posts: 7
OS: Windows XP Pro SP2


The HJT and combifix results are edited into my post above, and here is the file scanner site results:
Jake5 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-05-2006, 12:38 PM   #6 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,740
OS: 2000 Pro; XP Pro; XP Home


Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Run Combofix again, using this command:


Go to Start -> Run and then paste in this single line command & click OK
"%userprofile%\desktop\combofix.exe" /v awtussr yayvwtr


Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When finished, it shall produce a log for you. Post that log in your next reply with a new HJT log

---------------------------------------------------------------------------------------------

Download Ewido Anti-spyware
  • Install Ewido Anti-spyware
  • Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
When you have finished updating, EXIT Ewido anti-spyware. Do Not run a scan just yet, we will shortly.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Restart in normal mode.

Perform an online scan with Internet Explorer with Panda ActiveScan http://www.pandasoftware.com/products/activescan.htm

Click on the "Free To Use ActiveScan" located on the top right hand corner
  1. Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on See report then click Save report
*Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with logs from:

Ewido
Panda
HJT

How is your system behaving now, please?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
Last edited by tetonbob; 09-05-2006 at 12:42 PM. Reason: changed instruction
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-05-2006, 12:42 PM   #7 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,740
OS: 2000 Pro; XP Pro; XP Home


Jake5, please see the amended instructions.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-05-2006, 02:21 PM   #8 (permalink)
Registered User
 
Join Date: Sep 2006
Posts: 7
OS: Windows XP Pro SP2


I havn't had the virus alert pop up for a while now.

Ewido

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 08:54:29 PM 05/09/2006

+ Scan result:



:mozilla.130:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.131:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.132:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.133:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.134:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.135:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.136:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.137:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.138:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.139:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.140:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.141:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.142:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.143:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.144:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.145:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.146:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.147:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.148:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.149:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.150:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.151:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.152:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.153:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.154:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.155:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.156:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.157:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.158:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.159:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.160:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.161:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.162:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.163:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.164:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.165:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.166:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.167:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.168:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.169:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.170:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.171:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.172:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.173:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.174:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.175:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.176:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.177:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.178:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.179:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.357:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.516:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.622:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.755:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.861:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.944:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.38:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.39:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.41:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.811:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.599:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
:mozilla.600:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
:mozilla.601:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
:mozilla.766:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.767:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.769:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.770:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.771:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.774:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.684:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Bfast : Cleaned with backup (quarantined).
:mozilla.663:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.664:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.665:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.666:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.667:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.668:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.330:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned with backup (quarantined).
:mozilla.96:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.97:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.98:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.907:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.828:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.829:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.331:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.521:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.523:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.527:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.576:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.672:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.696:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.697:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.698:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.759:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.876:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.877:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.878:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.879:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.880:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.911:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.912:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.913:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.914:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.915:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.924:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.844:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup (quarantined).
:mozilla.845:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup (quarantined).
:mozilla.846:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup (quarantined).
:mozilla.847:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup (quarantined).
:mozilla.268:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned with backup (quarantined).
:mozilla.615:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
:mozilla.569:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup (quarantined).
:mozilla.570:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup (quarantined).
:mozilla.571:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup (quarantined).
:mozilla.186:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.187:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.751:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.834:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Spylog : Cleaned with backup (quarantined).
:mozilla.278:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.279:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.280:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.281:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.282:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.283:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.284:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.285:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.286:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.287:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.288:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.289:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.290:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.291:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.292:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.293:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.294:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.295:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.296:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.297:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.298:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.299:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.300:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.301:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.302:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.303:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.304:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.305:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.306:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.307:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.308:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.309:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.310:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.311:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.312:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.313:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.314:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.315:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.316:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.317:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.318:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.319:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.320:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.321:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.322:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.323:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.324:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.325:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.326:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.327:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.32:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.33:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.34:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.35:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.36:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.614:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined).
:mozilla.251:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Trafic : Cleaned with backup (quarantined).
:mozilla.831:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined).
:mozilla.119:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.120:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.121:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.122:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.123:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).


::Report end



Panda


Incident Status Location

Spyware:Cookie/MetriWeb Not disinfected C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt[.metriweb.be/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt[.go.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\dij40uru.default\cookies.txt[.xiti.com/]



Hijack This

Logfile of HijackThis v1.99.1
Scan saved at 09:14:13 PM, on 05/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
c:\windows\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\WService.EXE
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\senor butts.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {A2078732-CCE8-46FD-99FA-910F852673C6} - C:\WINDOWS\system32\ssttt.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1143323537687
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C632C53B-D695-4619-9529-A4F57CD695A5}: NameServer = 192.168.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: ssttt - C:\WINDOWS\system32\ssttt.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\Drivers\WTSRV.EXE
Last edited by Jake5; 09-05-2006 at 02:28 PM.
Jake5 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-05-2006, 03:16 PM   #9 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,740
OS: 2000 Pro; XP Pro; XP Home


Hi Jake5 -

You may not have seen my amended instructions in the previous post...so let's do this:

Please run combofix again, using these instructions:


Go to Start -> Run and then paste in this single line command & click OK
"%userprofile%\desktop\combofix.exe" /v ssttt yayvwtr


Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When finished, it shall produce a log for you. Post that log in your next reply with a new HJT log
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-05-2006, 03:18 PM   #10 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,740
OS: 2000 Pro; XP Pro; XP Home


Also do this:

Clear your Firefox cookies. From the open browser, go toTools>Options>Privacy>Cookies>Clear
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-05-2006, 03:57 PM   #11 (permalink)
Registered User
 
Join Date: Sep 2006
Posts: 7
OS: Windows XP Pro SP2


Combifix

Jake - 06-09-05 22:52:22.62
ComboFix 06.09.04BT - Running from: C:\Documents and Settings\Jake\Desktop

Microsoft Windows XP [Version 5.1.2600]

((((((((((((((((((((((((((((((( Files Created from 2006-08-05 to 2006-09-05 ))))))))))))))))))))))))))))))))))


2006-09-05 18:05 692,276 ---hs---- C:\WINDOWS\system32\ssttt.dll
2006-09-05 18:05 505,729 ---hs---- C:\WINDOWS\system32\tttss.bak1
2006-09-05 12:57 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2006-09-05 12:57 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2006-09-05 12:57 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2006-09-04 17:26 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe
2006-09-04 17:26 6,020 --a------ C:\clean.bat
2006-09-04 17:26 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-09-04 17:26 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2006-09-04 17:26 38,400 --a------ C:\WINDOWS\system32\moveex.exe
2006-09-04 12:39 180,224 --a------ C:\WINDOWS\system32\nvuaudio.exe
2006-08-29 01:37 72,192 --a------ C:\WINDOWS\unlite3.exe
2006-08-17 20:14 864,256 --a------ C:\WINDOWS\system32\DevIL.dll
2006-08-17 20:14 81,920 --a------ C:\WINDOWS\system32\ILU.dll
2006-08-17 20:14 36,864 --a------ C:\WINDOWS\system32\ILUT.dll
2006-08-17 20:14 161,280 --a------ C:\WINDOWS\system32\fmod.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-05 22:54 -------- d-------- C:\Documents and Settings\Jake\Application Data\uTorrent
2006-09-05 21:55 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-05 21:33 4051968 --a------ C:\WINDOWS\system32\logonuiX.exe
2006-09-05 20:06 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-09-05 17:55 -------- d-------- C:\Program Files\Common Files
2006-09-05 13:08 -------- d-------- C:\Program Files\Armagetron Advanced
2006-09-05 12:59 -------- d-------- C:\Program Files\3DRipperDX
2006-09-04 17:26 -------- d-------- C:\Program Files\HaxFix
2006-09-04 15:14 -------- d-------- C:\Program Files\Armadillo Run
2006-09-04 15:06 -------- d-------- C:\Program Files\Webroot
2006-09-03 01:53 -------- d-------- C:\Program Files\MSN Messenger
2006-09-02 15:36 33952 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2006-09-02 15:30 -------- d-------- C:\Program Files\Human Head Studios
2006-08-31 17:54 -------- d-------- C:\Program Files\Steam
2006-08-30 17:34 -------- d-------- C:\Program Files\Winamp
2006-08-29 01:37 -------- d-------- C:\Program Files\Bradbury
2006-08-29 01:28 -------- d-------- C:\Documents and Settings\Jake\Application Data\SecondLife
2006-08-26 18:18 2828 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2006-08-26 18:14 56 -r-hs---- C:\WINDOWS\system32\C6B8F76B88.sys
2006-08-26 18:14 -------- d-------- C:\Program Files\Toolkit3
2006-08-25 00:14 -------- d-------- C:\Documents and Settings\Jake\Application Data\Inkscape
2006-08-17 23:16 -------- d-------- C:\Program Files\ArtMoney
2006-08-17 20:14 -------- d-------- C:\Program Files\Lugaru
2006-08-17 01:30 -------- d-------- C:\Program Files\Toshiba
2006-08-15 19:35 -------- d-------- C:\Program Files\mIRC
2006-08-14 22:50 -------- d-------- C:\Program Files\GENIUS TABLET
2006-08-12 19:32 -------- d-------- C:\Program Files\FlashFXP
2006-08-12 03:06 777472 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-08-12 03:06 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-08-08 17:35 -------- d-------- C:\Program Files\XMoto
2006-08-06 22:01 -------- d-------- C:\Documents and Settings\Jake\Application Data\Armagetron
2006-08-06 00:57 -------- d-------- C:\Program Files\Second Sight Software
2006-08-04 22:53 -------- d-------- C:\Program Files\Tattoo
2006-08-04 00:24 -------- d-------- C:\Program Files\wings3d_0.98.32a
2006-08-04 00:12 -------- d-------- C:\Program Files\Jed's Half-Life Model Viewer 1.3.5
2006-08-03 16:52 -------- d-------- C:\Program Files\Common Files\element5 Shared
2006-08-03 16:51 -------- d--h----- C:\Program Files\Zero G Registry
2006-08-03 16:50 -------- d-------- C:\Program Files\Pixologic
2006-08-03 02:59 -------- d-------- C:\Program Files\MilkShape 3D 1.7.9
2006-08-01 12:30 -------- dr------- C:\Program Files\Xfire
2006-07-31 18:43 -------- d-------- C:\Documents and Settings\Jake\Application Data\yoclient
2006-07-26 01:12 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-07-23 21:44 -------- d-------- C:\Program Files\MIKSOFT
2006-07-23 17:06 -------- d-------- C:\Program Files\Three Rings Design
2006-07-23 03:05 -------- d-------- C:\Program Files\3gpConvert
2006-07-23 00:07 -------- d-------- C:\Program Files\IVT Corporation
2006-07-22 12:48 -------- d-a------ C:\Program Files\Win Mugen
2006-07-22 01:06 -------- d-------- C:\Program Files\UltraMon
2006-07-22 01:06 -------- d-------- C:\Program Files\Common Files\Realtime Soft
2006-07-22 01:06 -------- d-------- C:\Documents and Settings\Jake\Application Data\Realtime Soft
2006-07-15 20:08 -------- d-------- C:\Program Files\ATI Technologies
2006-07-15 20:00 -------- d-------- C:\Program Files\Bridge Construction Set
2006-07-13 11:14 -------- d-------- C:\Program Files\Souptoys
2006-07-13 11:14 -------- d-------- C:\Documents and Settings\Jake\Application Data\Souptoys
2006-07-11 00:32 -------- d-------- C:\Program Files\GetRight
2006-07-11 00:30 -------- d-------- C:\Program Files\Yahoo!
2006-07-09 16:35 -------- d-------- C:\Program Files\OpenTTD
2006-07-08 12:35 -------- d-------- C:\Program Files\RocketJockey
2006-07-07 17:53 -------- d-------- C:\Documents and Settings\Jake\Application Data\Opera
2006-06-16 14:34 48936 --a------ C:\WINDOWS\system32\sirenacm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"LogonStudio"="\"C:\\Program Files\\WinCustomize\\LogonStudio\\logonstudio.exe\" /RANDOM"
"CoolSwitch"="C:\\WINDOWS\\system32\\taskswitch.exe"
"DAEMON Tools-1033"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"AVG7_CC"="\"C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe\" /STARTUP"
"WService"="WService.EXE"
"UltraMon"="\"C:\\Program Files\\UltraMon\\UltraMon.exe\" /auto"
"BluetoothAuthenticationAgent"="\"rundll32.exe\" bthprops.cpl,,BluetoothAuthenticationAgent"
"SoundMan"="SOUNDMAN.EXE"
"KernelFaultCheck"="%systemroot%\\system32\\dumprep 0 -k"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"SpySweeperUninstallSurvey"="http://products.webroot.com/disp0201.php?pc=64011&rc=4129&ps=T&oc=33&mjv=5&mnv=0&bld=1286&cd=&dcc=&drc=&mo=&sid=1885825710&lang=en&loc=GBR&opi=2&omj=5&omn=1&rsc="

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce\Setup]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,77,01,00,00,00,00,00,00,89,03,00,00,d4,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,93,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\kdx]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KHost"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\kdx\\KHost.exe -all"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PWRISOVM.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PWRISOVM"
"hkey"="HKLM"
"command"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime Alternative\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"Macromedia Licensing Service"=dword:00000003
"KService"=dword:00000002
"Ati HotKey Poller"=dword:00000002
"Adobe LM Service"=dword:00000003

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssttt


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\cavalry.job

Completion time: 06-09-05 22:54:09.00
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 22:56, on 06-09-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
c:\windows\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\WService.EXE
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\µTorrent\µTorrent.exe
C:\HJT\senor butts.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {A58495D4-D0A7-42E1-B2C1-1088D3636D91} - C:\WINDOWS\system32\ssttt.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\RunOnce: [SpySweeperUninstallSurvey] http://products.webroot.com/disp0201...j=5&omn=1&rsc=
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1143323537687
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C632C53B-D695-4619-9529-A4F57CD695A5}: NameServer = 192.168.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: ssttt - C:\WINDOWS\system32\ssttt.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\Drivers\WTSRV.EXE
Jake5 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-05-2006, 04:00 PM   #12 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,740
OS: 2000 Pro; XP Pro; XP Home


It appears as though you just ran combofix with a double click on the exe, not using the runbox command. Is this so?

Go to Start -> Run and then paste in this single line command & click OK
"%userprofile%\desktop\combofix.exe" /v ssttt


Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When finished, it shall produce a log for you. Post that log in your next reply with a new HJT log
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-05-2006, 04:28 PM   #13 (permalink)
Registered User
 
Join Date: Sep 2006
Posts: 7
OS: Windows XP Pro SP2


I'm pretty sure thats what I did, but I did it again anyway:

ComboFix

Jake - 06-09-05 23:20:48.60
ComboFix 06.09.04BT - Running from: C:\Documents and Settings\Jake\desktop

Microsoft Windows XP [Version 5.1.2600]

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ssttt.dll
C:\WINDOWS\system32\tttss.bak1
C:\WINDOWS\system32\tttss.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((( Files Created from 2006-08-05 to 2006-09-05 ))))))))))))))))))))))))))))))))))


2006-09-05 12:57 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2006-09-05 12:57 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2006-09-05 12:57 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2006-09-04 17:26 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe
2006-09-04 17:26 6,020 --a------ C:\clean.bat
2006-09-04 17:26 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-09-04 17:26 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2006-09-04 17:26 38,400 --a------ C:\WINDOWS\system32\moveex.exe
2006-09-04 12:39 180,224 --a------ C:\WINDOWS\system32\nvuaudio.exe
2006-08-29 01:37 72,192 --a------ C:\WINDOWS\unlite3.exe
2006-08-17 20:14 864,256 --a------ C:\WINDOWS\system32\DevIL.dll
2006-08-17 20:14 81,920 --a------ C:\WINDOWS\system32\ILU.dll
2006-08-17 20:14 36,864 --a------ C:\WINDOWS\system32\ILUT.dll
2006-08-17 20:14 161,280 --a------ C:\WINDOWS\system32\fmod.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-05 23:21 -------- d-------- C:\Documents and Settings\Jake\Application Data\uTorrent
2006-09-05 21:55 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-05 21:33 4051968 --a------ C:\WINDOWS\system32\logonuiX.exe
2006-09-05 20:06 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-09-05 17:55 -------- d-------- C:\Program Files\Common Files
2006-09-05 13:08 -------- d-------- C:\Program Files\Armagetron Advanced
2006-09-05 12:59 -------- d-------- C:\Program Files\3DRipperDX
2006-09-04 17:26 -------- d-------- C:\Program Files\HaxFix
2006-09-04 15:14 -------- d-------- C:\Program Files\Armadillo Run
2006-09-03 01:53 -------- d-------- C:\Program Files\MSN Messenger
2006-09-02 15:36 33952 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2006-09-02 15:30 -------- d-------- C:\Program Files\Human Head Studios
2006-08-31 17:54 -------- d-------- C:\Program Files\Steam
2006-08-30 17:34 -------- d-------- C:\Program Files\Winamp
2006-08-29 01:37 -------- d-------- C:\Program Files\Bradbury
2006-08-29 01:28 -------- d-------- C:\Documents and Settings\Jake\Application Data\SecondLife
2006-08-26 18:18 2828 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2006-08-26 18:14 56 -r-hs---- C:\WINDOWS\system32\C6B8F76B88.sys
2006-08-26 18:14 -------- d-------- C:\Program Files\Toolkit3
2006-08-25 00:14 -------- d-------- C:\Documents and Settings\Jake\Application Data\Inkscape
2006-08-17 23:16 -------- d-------- C:\Program Files\ArtMoney
2006-08-17 20:14 -------- d-------- C:\Program Files\Lugaru
2006-08-17 01:30 -------- d-------- C:\Program Files\Toshiba
2006-08-15 19:35 -------- d-------- C:\Program Files\mIRC
2006-08-14 22:50 -------- d-------- C:\Program Files\GENIUS TABLET
2006-08-12 19:32 -------- d-------- C:\Program Files\FlashFXP
2006-08-12 03:06 777472 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-08-12 03:06 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-08-08 17:35 -------- d-------- C:\Program Files\XMoto
2006-08-06 22:01 -------- d-------- C:\Documents and Settings\Jake\Application Data\Armagetron
2006-08-06 00:57 -------- d-------- C:\Program Files\Second Sight Software
2006-08-04 22:53 -------- d-------- C:\Program Files\Tattoo
2006-08-04 00:24 -------- d-------- C:\Program Files\wings3d_0.98.32a
2006-08-04 00:12 -------- d-------- C:\Program Files\Jed's Half-Life Model Viewer 1.3.5
2006-08-03 16:52 -------- d-------- C:\Program Files\Common Files\element5 Shared
2006-08-03 16:51 -------- d--h----- C:\Program Files\Zero G Registry
2006-08-03 16:50 -------- d-------- C:\Program Files\Pixologic
2006-08-03 02:59 -------- d-------- C:\Program Files\MilkShape 3D 1.7.9
2006-08-01 12:30 -------- dr------- C:\Program Files\Xfire
2006-07-31 18:43 -------- d-------- C:\Documents and Settings\Jake\Application Data\yoclient
2006-07-26 01:12 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-07-23 21:44 -------- d-------- C:\Program Files\MIKSOFT
2006-07-23 17:06 -------- d-------- C:\Program Files\Three Rings Design
2006-07-23 03:05 -------- d-------- C:\Program Files\3gpConvert
2006-07-23 00:07 -------- d-------- C:\Program Files\IVT Corporation
2006-07-22 12:48 -------- d-a------ C:\Program Files\Win Mugen
2006-07-22 01:06 -------- d-------- C:\Program Files\UltraMon
2006-07-22 01:06 -------- d-------- C:\Program Files\Common Files\Realtime Soft
2006-07-22 01:06 -------- d-------- C:\Documents and Settings\Jake\Application Data\Realtime Soft
2006-07-15 20:08 -------- d-------- C:\Program Files\ATI Technologies
2006-07-15 20:00 -------- d-------- C:\Program Files\Bridge Construction Set
2006-07-13 11:14 -------- d-------- C:\Program Files\Souptoys
2006-07-13 11:14 -------- d-------- C:\Documents and Settings\Jake\Application Data\Souptoys
2006-07-11 00:32 -------- d-------- C:\Program Files\GetRight
2006-07-11 00:30 -------- d-------- C:\Program Files\Yahoo!
2006-07-09 16:35 -------- d-------- C:\Program Files\OpenTTD
2006-07-08 12:35 -------- d-------- C:\Program Files\RocketJockey
2006-07-07 17:53 -------- d-------- C:\Documents and Settings\Jake\Application Data\Opera
2006-06-16 14:34 48936 --a------ C:\WINDOWS\system32\sirenacm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"LogonStudio"="\"C:\\Program Files\\WinCustomize\\LogonStudio\\logonstudio.exe\" /RANDOM"
"CoolSwitch"="C:\\WINDOWS\\system32\\taskswitch.exe"
"DAEMON Tools-1033"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"AVG7_CC"="\"C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe\" /STARTUP"
"WService"="WService.EXE"
"UltraMon"="\"C:\\Program Files\\UltraMon\\UltraMon.exe\" /auto"
"BluetoothAuthenticationAgent"="\"rundll32.exe\" bthprops.cpl,,BluetoothAuthenticationAgent"
"SoundMan"="SOUNDMAN.EXE"
"KernelFaultCheck"="%systemroot%\\system32\\dumprep 0 -k"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"SpySweeperUninstallSurvey"="http://products.webroot.com/disp0201.php?pc=64011&rc=4129&ps=T&oc=33&mjv=5&mnv=0&bld=1286&cd=&dcc=&drc=&mo=&sid=1885825710&lang=en&loc=GBR&opi=2&omj=5&omn=1&rsc="

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce\Setup]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,77,01,00,00,00,00,00,00,89,03,00,00,d4,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,93,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\kdx]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KHost"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\kdx\\KHost.exe -all"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PWRISOVM.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PWRISOVM"
"hkey"="HKLM"
"command"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime Alternative\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"Macromedia Licensing Service"=dword:00000003
"KService"=dword:00000002
"Ati HotKey Poller"=dword:00000002
"Adobe LM Service"=dword:00000003



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\cavalry.job

Completion time: 06-09-05 23:23:22.10
ComboFix.txt
ComboFix2.txt
ComboFix3.txt


HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 23:26, on 06-09-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
c:\windows\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\WService.EXE
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\HJT\senor butts.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1143323537687
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C632C53B-D695-4619-9529-A4F57CD695A5}: NameServer = 192.168.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\Drivers\WTSRV.EXE
Jake5 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-05-2006, 04:42 PM   #14 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,740
OS: 2000 Pro; XP Pro; XP Home


Good job. That gave us the vundo log portion of combofix, as you can see.

It appears to be vanquished.

All the other scanners found were cookies, which should now have been eliminated.

Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few items to address.


Create a new System Restore point
  • click Start >> Run - type SYSDM.CPL & press Enter
  • select the System Restore Tab
  • tick on the checkbox - "Turn off System Restore on all drives"
  • click Apply
  • then untick the same checkbox & click OK


Enable Windows Auto Update
  • Go to Start>Run - type wuaucpl.cpl
  • tick on the checkbox - "Keep my computer up to date"
  • Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
  • Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
    • Install & update SpywareBlaster with the latest definitions.
      After you have updated, click the button - enable protection for all unprotected items
  • SpywareGuard to catch and block spyware before it can execute.
  • SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
  • AD-AWARE
    Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
  • Winpatrol - Download and install the free version of Winpatrol.
    A tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

  • IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • Download IE-SpyAD - Extract the contents to a new folder
      From within the folder, double-click install.bat
      Select Option #2 - Install the new IE-SPYAD list.
      Then return to the main menu.
      Select option #4 - Add the old porn sites domain


  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
    • Download Host.zip to your desktop.
    • From your Desktop right-click (hosts.zip) and select:
      Extract All from the menu.
    • Click Next, click Next, select the option:
      "Show Extracted files", click Finish
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.


  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online antivirus scanners:

    Anti-Spyware Tutorial

    Here are two very good free Antivirus products which are available:
  • Avast!

  • AVG

If you do not have a firewall, here are 4 free ones available for personal use:


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-05-2006, 05:04 PM   #15 (permalink)
Registered User
 
Join Date: Sep 2006
Posts: 7
OS: Windows XP Pro SP2


Yep, everything seems fine now, thanks alot for all of your help.
Jake5 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 11:06 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85