View Full Version : adware/possible viruses/trojans
vxmorpheusxv
2006-04-06, 01:22
I ran my antivirus (avast!) and spybot in safemode to no avail. "cmdservice" consistently appears in spybot and can't be deleted (2 of 3 entires of it, the one that gets deleted reappears constantly). Of programs running, I can't find any info on ones called "jngbtv.exe" or "awxft.exe", which always has 3 instances running.
I also consistently get i.e and firefox (I use firefox mainly) windows popping up.
Also, below I notice "norton internet security" which I tried to deinstall a while back but never quite uninstalled, wouldn't let me. Now whenever I open word documents or zip files I get an error from norton (which I don't have installed), and I actually can't seem to unzip files any longer.
In any event, here is my hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 7:14:34 PM, on 4/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\system32\msiexec.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\awxft.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,kreiebp.exe
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110674607593
O17 - HKLM\System\CCS\Services\Tcpip\..\{17950B61-021F-4465-B6B5-673A880F5203}: NameServer = 167.206.3.205,167.206.3.139
O17 - HKLM\System\CCS\Services\Tcpip\..\{4300BF9B-182C-4572-8D8A-45ABB009709F}: NameServer = 167.206.3.205,167.206.3.139
O18 - Filter: text/html - {D332110E-3EDB-417B-B8E2-297B61C074C6} - C:\WINDOWS\system32\OUGHYA~1.DLL
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\enl4l13q1.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
pskelley
2006-04-07, 16:39
Hello and welcome to the forum:) You have some nasty infections, and the first one we must fix is:
ModuleUsage X random named dll in the System32 folder Variant of Adware.Look2Me We have a tool for this that will work if you follow the directions.
1) You are running MSConfig in Selective Startup mode. I must see all logs for the duration of this cleanup in Normal Mode unless I ask otherwise.
2) Please download Look2Me-Destroyer.exe (http://www.atribune.org/ccount/click.php?id=7) to your desktop.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.
If you receive a message from your firewall about this program accessing the internet please allow it.
If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
More info:
If for some reason Look2Me-Destroyer doesn't reopen check that task scheduler is running.
If it isnt you can use sc.exe to start it
start>run sc start schedule press enter.
Post the two logs bolded above, we have much to do.
Thanks...pskelley
Safer Networking Forums
vxmorpheusxv
2006-04-07, 19:00
Hey, thank you for the reply ^.^
Right before you replied to this (well, last night before I went to sleep), I actually ran the Look2Me destroyer, was gonna post a log of it today hehe.
Here's the original log of it from last night:
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 4/6/2006 10:29:05 PM
Infected! C:\WINDOWS\system32\enp6l17s1.dll
Infected! C:\WINDOWS\system32\enp6l17s1.dll
Infected! C:\WINDOWS\system32\ig50_qcx.dll
Infected! C:\WINDOWS\system32\jtr0079me.dll
Infected! C:\WINDOWS\system32\kt8ml7l11.dll
Infected! C:\WINDOWS\system32\lucalsec.dll
Infected! C:\WINDOWS\system32\mdasn1.dll
Infected! C:\WINDOWS\system32\mjdart.dll
Infected! C:\WINDOWS\system32\mrconf.dll
Infected! C:\WINDOWS\system32\mwieftp.dll
Infected! C:\WINDOWS\system32\shardssp.dll
Infected! C:\WINDOWS\system32\srclogon.dll
Infected! C:\WINDOWS\system32\suorage.dll
Infected! C:\WINDOWS\system32\syhannel.dll
Infected! C:\WINDOWS\system32\wthrm.dll
Attempting to delete infected files...
Attempting to delete: C:\WINDOWS\system32\enp6l17s1.dll
C:\WINDOWS\system32\enp6l17s1.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\enp6l17s1.dll
C:\WINDOWS\system32\enp6l17s1.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\ig50_qcx.dll
C:\WINDOWS\system32\ig50_qcx.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\jtr0079me.dll
C:\WINDOWS\system32\jtr0079me.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\kt8ml7l11.dll
C:\WINDOWS\system32\kt8ml7l11.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\lucalsec.dll
C:\WINDOWS\system32\lucalsec.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\mdasn1.dll
C:\WINDOWS\system32\mdasn1.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\mjdart.dll
C:\WINDOWS\system32\mjdart.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\mrconf.dll
C:\WINDOWS\system32\mrconf.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\mwieftp.dll
C:\WINDOWS\system32\mwieftp.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\shardssp.dll
C:\WINDOWS\system32\shardssp.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\srclogon.dll
C:\WINDOWS\system32\srclogon.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\suorage.dll
C:\WINDOWS\system32\suorage.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\syhannel.dll
C:\WINDOWS\system32\syhannel.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\wthrm.dll
C:\WINDOWS\system32\wthrm.dll Deleted successfully!
Making registry repairs.
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F55C9661-1B5B-43E8-A42D-B938BD15B1B7}"
HKCR\Clsid\{F55C9661-1B5B-43E8-A42D-B938BD15B1B7}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{7F20562B-2ED7-48ED-95DA-04E649B8FA8C}"
HKCR\Clsid\{7F20562B-2ED7-48ED-95DA-04E649B8FA8C}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F00FBA14-BD8B-4E7C-BED0-F178444F9C28}"
HKCR\Clsid\{F00FBA14-BD8B-4E7C-BED0-F178444F9C28}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9E84AE0A-731D-4C32-B104-099154818C80}"
HKCR\Clsid\{9E84AE0A-731D-4C32-B104-099154818C80}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{60C49ED9-3A9C-44F7-B700-3FEC5A1258A3}"
HKCR\Clsid\{60C49ED9-3A9C-44F7-B700-3FEC5A1258A3}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{7552C567-8B0E-41A5-93F1-89C1DFDA6561}"
HKCR\Clsid\{7552C567-8B0E-41A5-93F1-89C1DFDA6561}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0B22734A-4D5E-4EDE-A24D-B97F8C02D6F6}"
HKCR\Clsid\{0B22734A-4D5E-4EDE-A24D-B97F8C02D6F6}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F7A445B5-DBAA-41EB-B481-3DD05284E7FE}"
HKCR\Clsid\{F7A445B5-DBAA-41EB-B481-3DD05284E7FE}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B3858209-302A-4900-AE5B-0E0ADDFD8513}"
HKCR\Clsid\{B3858209-302A-4900-AE5B-0E0ADDFD8513}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{EAE0CD60-7B94-4DEF-8272-DB882A836B65}"
HKCR\Clsid\{EAE0CD60-7B94-4DEF-8272-DB882A836B65}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{883767F8-C9DB-492C-A044-68F61CCBD25B}"
HKCR\Clsid\{883767F8-C9DB-492C-A044-68F61CCBD25B}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{BF6E34E0-2702-4FA3-B704-7F494FB19F39}"
HKCR\Clsid\{BF6E34E0-2702-4FA3-B704-7F494FB19F39}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{A01B6D47-DE6A-4054-BF7D-FA48C7EDDF98}"
HKCR\Clsid\{A01B6D47-DE6A-4054-BF7D-FA48C7EDDF98}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9E668710-A512-43E1-89D3-407A7F9B2B65}"
HKCR\Clsid\{9E668710-A512-43E1-89D3-407A7F9B2B65}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{AE70590D-C543-4148-AC9D-A707D5DE11A5}"
HKCR\Clsid\{AE70590D-C543-4148-AC9D-A707D5DE11A5}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{D4281007-4929-4833-8E47-30A6C4DBD909}"
HKCR\Clsid\{D4281007-4929-4833-8E47-30A6C4DBD909}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0D050C4C-5819-467F-A9E4-19D3D1F48EC7}"
HKCR\Clsid\{0D050C4C-5819-467F-A9E4-19D3D1F48EC7}
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
I booted up normally (non-selective startup) as you requested, and I ran it again just now to be sure, looks clean in this respect:
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 4/7/2006 12:41:02 PM
Attempting to delete infected files...
Making registry repairs.
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
Here's a fresh HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:58:08 PM, on 4/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\awxft.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,kreiebp.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CheckS02.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110674607593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17950B61-021F-4465-B6B5-673A880F5203}: NameServer = 167.206.3.205,167.206.3.139
O17 - HKLM\System\CCS\Services\Tcpip\..\{4300BF9B-182C-4572-8D8A-45ABB009709F}: NameServer = 167.206.3.205,167.206.3.139
O18 - Filter: text/html - {D332110E-3EDB-417B-B8E2-297B61C074C6} - C:\WINDOWS\system32\OUGHYA~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: app_filter - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Unknown owner - C:\Program Files\Norton Internet Security\ISSVC.exe (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (file missing)
Thank you again for your reply, I await the next eagerly :)
pskelley
2006-04-07, 20:49
You are certainly welcome. Let me ask first that you copy and paste your logs just as they are, do not bold them or change them in any other manner, post them just as they are, thanks.
Looks like Look2me is gone, good job, I am going to do a good cleaning as we remove the rest, if this works for you then proceed like this.
1) Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php
The newest version of Ad-aware is 1.06 and Spybot 1.04. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.
2) ewido scan:
Please download Ewido Security Suite (http://www.ewido.net/en/download/) it is a trial version of the program.
Install ewido security suite
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates (http://www.ewido.net/en/download/updates/)
Once the updates are installed do the following:
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.**
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")
3) Some programs will stop our fix, Windows Defender is new and may be one, we need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
Open Windows Defender, Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.
(Some items may be removed before you get to them, don't be concerned if something is not there, just do not miss anything)
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\awxft.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,kreiebp.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CheckS02.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O18 - Filter: text/html - {D332110E-3EDB-417B-B8E2-297B61C074C6} - C:\WINDOWS\system32\OUGHYA~1.DLL
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
RIGHT Click on Start then click on Explore. Locate and delete these items:
kreiebp.exe >>> file (you will have to search for the location of this one)
C:\WINDOWS\CheckS02.exe >>> file
C:\WINDOWS\system32\awxft.exe >>> file
C:\WINDOWS\system32\OUGHYA~1.DLL >>> file
C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.
This stuff gets harder and harder to remove. the 015 items are especially hard, if they are still there when you make the next log, reboot to safe mode and use HJT to delete them there:
http://www.bleepingcomputer.com/tutorials/tutorial61.html
Restart the computer and post the ewido scan results, a new HJT log and any comments you think will help. I will see what we have left to do at that point.
Thanks...Phil
vxmorpheusxv
2006-04-08, 00:23
Hey, I did all the things you requested above. I wasn't able to delete awxft.exe, wouldn't let me, and when i tried booting into safe mode to delete it, it didn't exist. The 015 stuff stayed gone, though.
Upon booting up normally again, ewido immediately found jngbtv.exe, and when I tried to do as it suggested (delete), it would consistently pop back up again, so I was forced to tell it to take no action. The same happened with awxft.exe, which it found and couldn't seem to keep deleted. It also found pugbleb.dll (which it deleted), and cusca.exe.
The following is too long to place in one post, so I'm breaking it up into multiple. I'd just host it but I have no webspace atm >.<
vxmorpheusxv
2006-04-08, 00:28
Here's the ewido scan log, had to break into two posts:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 5:29:24 PM, 4/7/2006
+ Report-Checksum: 5264AA90
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{00000000-0000-0000-0000-000000000010} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-583907252-1957994488-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000000000010} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-583907252-1957994488-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6001CDF7-6F45-471B-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup
[1440] C:\WINDOWS\system32\pugbleb.dll -> Downloader.Qoologic.bj : Error during cleaning
[1464] C:\WINDOWS\system32\pugbleb.dll -> Downloader.Qoologic.bj : Error during cleaning
[1480] C:\WINDOWS\system32\pugbleb.dll -> Downloader.Qoologic.bj : Error during cleaning
[1488] C:\WINDOWS\system32\pugbleb.dll -> Downloader.Qoologic.bj : Error during cleaning
[1496] C:\WINDOWS\system32\pugbleb.dll -> Downloader.Qoologic.bj : Error during cleaning
[1504] C:\WINDOWS\system32\pugbleb.dll -> Downloader.Qoologic.bj : Error during cleaning
[1528] C:\WINDOWS\system32\pugbleb.dll -> Downloader.Qoologic.bj : Error during cleaning
[1560] C:\WINDOWS\system32\pugbleb.dll -> Downloader.Qoologic.bj : Error during cleaning
[1588] C:\WINDOWS\system32\pugbleb.dll -> Downloader.Qoologic.bj : Error during cleaning
[1620] C:\WINDOWS\system32\pugbleb.dll -> Downloader.Qoologic.bj : Error during cleaning
[1648] C:\WINDOWS\system32\pugbleb.dll -> Downloader.Qoologic.bj : Error during cleaning
[1656] C:\WINDOWS\system32\pugbleb.dll -> Downloader.Qoologic.bj : Error during cleaning
[3700] C:\WINDOWS\system32\pugbleb.dll -> Downloader.Qoologic.bj : Error during cleaning
[692] C:\WINDOWS\system32\pugbleb.dll -> Downloader.Qoologic.bj : Error during cleaning
C:\Documents and Settings\Administrator\Local Settings\Temp\temp.fr392C -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\temp.frC1E0 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@c.goclick[1].txt -> TrackingCookie.Goclick : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.142:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.143:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.144:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.145:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.146:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.147:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.148:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.156:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.158:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.168:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.169:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.176:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
:mozilla.177:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.178:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.179:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.180:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.181:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.182:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.183:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.184:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.185:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.186:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.187:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.188:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.222:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.223:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.231:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.232:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.233:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.234:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.235:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.236:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
vxmorpheusxv
2006-04-08, 00:30
:mozilla.238:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.241:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Epilot : Cleaned with backup
:mozilla.306:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Hypertracker : Cleaned with backup
:mozilla.381:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.388:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.412:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.454:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.455:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.462:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.472:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.485:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.486:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.488:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.489:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.505:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.506:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.507:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.508:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.509:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.528:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.529:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.530:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.531:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.561:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.562:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.563:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.564:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.565:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.566:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.567:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.568:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.569:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.570:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.571:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.572:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.573:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.574:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.579:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.580:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.581:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.582:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.598:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.599:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.600:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.601:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.602:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.603:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.604:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.605:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.606:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.607:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.608:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.609:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.610:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.683:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.684:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.690:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.691:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.692:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.693:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.694:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.695:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.696:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.697:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.699:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Cqcounter : Cleaned with backup
:mozilla.706:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.707:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.708:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.709:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.710:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.711:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned with backup
:mozilla.731:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
:mozilla.732:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
:mozilla.733:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
:mozilla.748:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned with backup
:mozilla.750:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.751:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.758:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.759:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.760:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.761:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.762:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.783:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.786:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.787:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.788:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.789:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.790:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.801:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.802:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.803:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.804:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.812:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Realtracker : Cleaned with backup
:mozilla.813:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Realtracker : Cleaned with backup
:mozilla.846:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
:mozilla.854:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Epilot : Cleaned with backup
:mozilla.863:C:\Documents and Settings\Rol\Application Data\Mozilla\Firefox\Profiles\flza7fw1.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@ad.adocean[1].txt -> TrackingCookie.Adocean : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@ad1.clickhype[2].txt -> TrackingCookie.Clickhype : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@adorigin[2].txt -> TrackingCookie.Adorigin : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@ads.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@cartoonnetwork.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@cnetasiapacific.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@cz4.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@cz5.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@cz7.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wfk4ghczmhp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
vxmorpheusxv
2006-04-08, 00:30
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wfk4kldjogp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wfkicjc5kao.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wfkowjc5ako.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wfkygnazmeo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wfkyooajgcq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wfkyqjc5skq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wfkyqmczwfo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wfkysoazwhq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wfl4undpgaq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wflikkcjwgp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wflikmc5wgo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wfmiwpdpwap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wfmygid5kko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wfmysmczwgp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wjk4khdzghq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wjk4oldpkho.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wjkoehczgaq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wjkokpcpiho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wjkoujcjofo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wjkowldzggq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wjkyskcjago.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wjkyukcpskq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wjl4ujcpwho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wjliepd5ado.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wjlokid5mao.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wjloqmdzgbp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wjlosjdjago.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wjlycpcjeep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wjlywjcjsdo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wjmiwkcpklp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wjmyaic5ekp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wjmyslajocp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wjmyumd5kcq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wjny-1pazcg.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wjnyamd5okp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wjnyegcjkho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wjnyggazadq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wjnygpczeao.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wjnysjczcfp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@e-2dj6wjnyuhczelo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@efashionsolutions.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@ezgreets.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@h.starware[2].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@hypertracker[2].txt -> TrackingCookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@ilead.itrack[1].txt -> TrackingCookie.Itrack : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@install.bestoffersnetworks[2].txt -> TrackingCookie.Bestoffersnetworks : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@metacafe.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@msninvite.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@news.com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@sec1.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@server3.web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@starware[2].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@stats.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@try.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@vip.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@webstat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@www.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@www.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@www.web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@yadro[1].txt -> TrackingCookie.Yadro : Cleaned with backup
C:\Documents and Settings\Rol\Cookies\rol@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\Cookies\rol@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\Cookies\rol@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\Cookies\rol@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\Cookies\rol@ads.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\Cookies\rol@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\Cookies\rol@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\Cookies\rol@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\Cookies\rol@c.enhance[2].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\Cookies\rol@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\Cookies\rol@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\Cookies\rol@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\Cookies\rol@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\Cookies\rol@highbeam.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\Cookies\rol@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\Cookies\rol@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\Cookies\rol@maxim.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\Cookies\rol@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\Cookies\rol@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\Cookies\rol@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\Cookies\rol@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\Cookies\rol@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\Cookies\rol@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\Cookies\rol@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\Cookies\rol@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\Cookies\rol@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\F1F48.tmp/slk8x2peu.exe -> Adware.Suggestor : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\loadadv640.exe -> Downloader.Harnig.bc : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\q2.exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\q6.exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\un67.tmp -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temp\xxx1.exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temporary Internet Files\Content.IE5\4LABKD2N\ac2[1].txt -> Downloader.Agent.ahv : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temporary Internet Files\Content.IE5\4LABKD2N\installerwnus[1].exe -> Downloader.Qoologic.at : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temporary Internet Files\Content.IE5\OD6F0LQB\ZICORN001[1].exe -> Adware.ZenoSearch : Cleaned with backup
C:\Documents and Settings\Rol\Local Settings\Temporary Internet Files\Content.IE5\ST63O1AZ\WinATS[1].cab/WinATS.dll -> Adware.Mirar : Cleaned with backup
C:\WINDOWS\system32\ad.html -> Hijacker.Agent.e : Cleaned with backup
C:\WINDOWS\system32\guard.txt -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\installer.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\WINDOWS\system32\oughyatuy.dll -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\system32\pkveg.dat -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINDOWS\system32\q.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\system32\q3.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\system32\q5.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\system32\viptr76yg.exe -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\system32\w098295e.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\z1.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\system32\z3.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__pugbleb.dll -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINDOWS\Temp\Cookies\rol@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\rol@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\rol@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\rol@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\WINDOWS\Temp\Cookies\rol@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\WINDOWS\Temp\Cookies\rol@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\WINDOWS\Temp\Cookies\rol@c.enhance[2].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\WINDOWS\Temp\Cookies\rol@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\WINDOWS\Temp\Cookies\rol@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\WINDOWS\Temp\Cookies\rol@h.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\WINDOWS\Temp\Cookies\rol@highbeam.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\WINDOWS\Temp\Cookies\rol@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\WINDOWS\Temp\Cookies\rol@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\WINDOWS\Temp\Cookies\rol@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\WINDOWS\Temp\Cookies\rol@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\WINDOWS\Temp\Cookies\rol@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\uniq -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup
::Report End
vxmorpheusxv
2006-04-08, 00:33
Didn't expect that to take 3 posts, I would have found a place to host it up if I had realized, sorry about that.
Here's a fresh HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 6:15:10 PM, on 4/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\awxft.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,kreiebp.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [fbrtu] C:\WINDOWS\system32\jngbtv.exe reg_run
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110674607593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17950B61-021F-4465-B6B5-673A880F5203}: NameServer = 167.206.3.205,167.206.3.139
O17 - HKLM\System\CCS\Services\Tcpip\..\{4300BF9B-182C-4572-8D8A-45ABB009709F}: NameServer = 167.206.3.205,167.206.3.139
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: app_filter - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Unknown owner - C:\Program Files\Norton Internet Security\ISSVC.exe (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (file missing)
Also, sorry about bolding everything in my earlier post, misinterpreted what you had said, thought you told me to bold it hehe.
I'm glad a program finally recognized the jngbtv.exe item, but it cannot seem to get rid of it, nor any of those others I mentioned above.
Eagerly awaiting your next response ^.^
vxmorpheusxv
2006-04-08, 01:01
Hm, to add to the above, I just checked in my system32 folder, and I couldn't find any trace of the jngbtv.exe or awxft.exe in there, nor are they currently running as they had been for the past few days. Perhaps their gone? Not sure how though o.0
pskelley
2006-04-08, 01:40
Thanks for returning the logs, we have a problem in a [1440] C:\WINDOWS\system32\pugbleb.dll -> Downloader.Qoologic.bj : Error during cleaning
This trojan can be hard to remove, but often ewido can do it in safe mode. After I look at the HJT log, I'll give you those instructions and we will see what happens.
You are collecting some nasty cookies, here is some information to help you control those if you wish:
http://www.mvps.org/winhelp2002/cookies.htm
http://www.microsoft.com/windows/ie/using/howto/privacy/config.mspx
http://privacy.getnetwise.org/browsing/tools/firefox1/ffdisablecookies
http://www.mozilla.org/projects/security/pki/psm/help_21/using_priv_help.html
This last HJT log, MSConfig is running in Selective Startup. I did not see this in the earlier logs, and I need to see it in Normal Mode until we finish, if you need instructions for doing that, let me know.
I want to say that this is still a badly infected computer, some of these items I have never seen before. I suggest you keep this computer offline as much as possible because this junk attracts others and you have enough now.
Look over the instructions several times before you start, print them so you can see them in safe mode. Search for the files you need to delete so you will know where they are.
Review the tutorial so you will know how to use KilBox if you need it. Then follow the instructions for downloading.
http://forum.malwareremoval.com/viewtopic.php?t=320 Use this tool if you can't delete the files manually.
Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
SHOW HIDDEN FILES: MANUAL INSTRUCTIONS
Double click my computers & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
I am giving you two looks at this, if you can't see them you can't delete them. You also did not mention this one that I could see: kreiebp.exe >>> file <<< make sure you know where it is when you start.
Windows Defender is new and we are still learning what it does, it may block our fix, even in safe mode? Use these instructions and turn it off until you are finished:
We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
Open Windows Defender, Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.
Here is what I want to do next. Open the ewido program and update to get the latest information, then close it.
Reboot the computer and start it in safe mode, once you are in safe mode open ewido and run it allowing it to remove everything it locates unless you know it is not bad. Make sure you save the scan report, I must see it.
While still in safe mode: Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\awxft.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,kreiebp.exe
O4 - HKCU\..\Run: [fbrtu] C:\WINDOWS\system32\jngbtv.exe reg_run
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Locate and delete these items:
kreiebp.exe
C:\WINDOWS\system32\awxft.exe
C:\WINDOWS\system32\jngbtv.exe
They have to go, if you can't delete them in safe mode, then use the Killbox to do it.
When you are finished, I would like to see the ewido scan report and a new HJT log also your comments.
Thanks
vxmorpheusxv
2006-04-08, 03:06
Hey, sorry I thought I had disabled selective startup, set it to normal now.
I ran ewido in safemode and it was able to delete the downloader.qoologic. It was NOT called pugbleb.dll though, it had another name which is noted in the log.
The ewido log is listed below:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 8:39:50 PM, 4/7/2006
+ Report-Checksum: 20D7C54B
+ Scan result:
C:\WINDOWS\system32\pkveg.dat -> Downloader.Qoologic.bj : Cleaned with backup
::Report End
I searched for the 3 files you mentioned in the end of your last post (kreiebp.exe, awxft.exe and jngbtv.exe), but could not find them. I booted normally, and also could not find them. They don't appear to exist any longer (no process with them running either), not really sure why.
Here's a fresh HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 9:01:11 PM, on 4/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [fbrtu] C:\WINDOWS\system32\jngbtv.exe reg_run
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110674607593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17950B61-021F-4465-B6B5-673A880F5203}: NameServer = 167.206.3.205,167.206.3.139
O17 - HKLM\System\CCS\Services\Tcpip\..\{4300BF9B-182C-4572-8D8A-45ABB009709F}: NameServer = 167.206.3.205,167.206.3.139
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: app_filter - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Unknown owner - C:\Program Files\Norton Internet Security\ISSVC.exe (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (file missing)
The jngbtv appears to still be in the HJT log, even though I deleted it in safemode as per your suggestion.
pskelley
2006-04-08, 04:31
OK, this has been a tough one, would you use Killbox on this one:
C:\WINDOWS\system32\jngbtv.exe to see if that will get rid of it. Try the Standard File Kill first, if that does not do it, then use Delete on Reboot. It seems to be running in the registry and that is probably why it is resisting so hard. These hackers are getting harder and harder to defeat
Let me know how that works.
Because of all the nasties that were onboard, I would like to run another scan.
Please do an online scan with Kaspersky Online Scanner
http://www.kaspersky.com/virusscanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
Scan using the following Anti-Virus database:
Extended (If available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
There shoul dbe few cookies but if there are System Restore items, please edit them out before you post the scan results. We will be cleaning System Restore before we finish.
Thanks...Phil
vxmorpheusxv
2006-04-08, 08:18
I tried to run kilbox, couldn't find the file (didn't exist pasting that in) in standard kill. I tried doing delete on reboot, but once the countdown to reboot was done it gave me the message: PendingFileRenameOperations Registry Data has been removed by External Process!
Here is the log from the Kaspersky Online Scanner:
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, April 08, 2006 2:11:20 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 8/04/2006
Kaspersky Anti-Virus database records: 186912
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
Scan Statistics:
Total number of scanned objects: 140120
Number of viruses found: 17
Number of infected objects: 36
Number of suspicious objects: 0
Duration of the scan process: 01:54:31
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Rol\.housecall\Quarantine\ac2_0003[1].exe.bac_a03576 Infected: Trojan-Downloader.Win32.Small.cpu skipped
C:\Documents and Settings\Rol\.housecall\Quarantine\cusca.exeCommon Startup.bac_a03576 Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\Documents and Settings\Rol\.housecall\Quarantine\Dc88.exe.bac_a03576 Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\Documents and Settings\Rol\.housecall\Quarantine\Dc89.exe.bac_a03576 Infected: Trojan.Win32.VB.tg skipped
C:\Documents and Settings\Rol\.housecall\Quarantine\Dc93.exe.bac_a03576 Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\Documents and Settings\Rol\.housecall\Quarantine\dmonwv.dll.bac_a03576 Infected: Trojan-Downloader.Win32.Agent.agw skipped
C:\Documents and Settings\Rol\.housecall\Quarantine\drsmartload46a[1].exe.bac_a03576 Infected: Trojan-Downloader.Win32.Adload.ai skipped
C:\Documents and Settings\Rol\.housecall\Quarantine\drsmartload[1].exe.bac_a03576 Infected: Trojan-Downloader.Win32.VB.zg skipped
C:\Documents and Settings\Rol\.housecall\Quarantine\eeedo[1].exe.bac_a03576/data.rar/eee2.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.k skipped
C:\Documents and Settings\Rol\.housecall\Quarantine\eeedo[1].exe.bac_a03576/data.rar Infected: not-a-virus:AdWare.Win32.MediaMotor.k skipped
C:\Documents and Settings\Rol\.housecall\Quarantine\eeedo[1].exe.bac_a03576 RarSFX: infected - 2 skipped
C:\Documents and Settings\Rol\.housecall\Quarantine\eeedo[1].exe.bac_a03576 CryptFF.b: infected - 2 skipped
C:\Documents and Settings\Rol\.housecall\Quarantine\f9833031.exe.bac_a03576 Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\Documents and Settings\Rol\.housecall\Quarantine\f9944656.exe.bac_a03576 Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\Documents and Settings\Rol\.housecall\Quarantine\keyboard7[1].exe.bac_a03576 Infected: Trojan-Downloader.Win32.VB.zg skipped
C:\Documents and Settings\Rol\.housecall\Quarantine\mediaview[1].cab.bac_a01216/elite.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.h skipped
C:\Documents and Settings\Rol\.housecall\Quarantine\mediaview[1].cab.bac_a01216 CAB: infected - 1 skipped
C:\Documents and Settings\Rol\.housecall\Quarantine\mediaview[1].cab.bac_a01216 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Rol\.housecall\Quarantine\mediaview[1].cab.bac_a03576/elite.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.h skipped
C:\Documents and Settings\Rol\.housecall\Quarantine\mediaview[1].cab.bac_a03576 CAB: infected - 1 skipped
C:\Documents and Settings\Rol\.housecall\Quarantine\mediaview[1].cab.bac_a03576 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Rol\.housecall\Quarantine\mousepad7[1].exe.bac_a03576 Infected: Trojan.Win32.VB.ali skipped
C:\Documents and Settings\Rol\.housecall\Quarantine\newname7[1].exe.bac_a03576 Infected: Trojan-Downloader.Win32.Adload.ae skipped
C:\Documents and Settings\Rol\.housecall\Quarantine\pkveg.dat.bac_a03576 Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\Documents and Settings\Rol\.housecall\Quarantine\sk02[1].exe.bac_a03576/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Documents and Settings\Rol\.housecall\Quarantine\sk02[1].exe.bac_a03576 NSIS: infected - 1 skipped
C:\Documents and Settings\Rol\.housecall\Quarantine\sk02[1].exe.bac_a03576 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Rol\Desktop\ccsetup128.exe/stream/data0006 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Documents and Settings\Rol\Desktop\ccsetup128.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Documents and Settings\Rol\Desktop\ccsetup128.exe NSIS: infected - 2 skipped
C:\Program Files\Aodws nt\Cache\00004b51_43f8cbee_000e1113 Infected: Trojan-Downloader.HTML.Agent.ad skipped
C:\Program Files\Aodws nt\Cache\000052c4_43f4288a_000e222a Infected: Exploit.HTML.Mht skipped
C:\WINDOWS\system32\drsmartload482a.exe Infected: Trojan-Downloader.Win32.Adload.af skipped
C:\WINDOWS\system32\dvdsrv32.exe Infected: Trojan.Win32.Crypt.t skipped
C:\WINDOWS\system32\Win3.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\WINDOWS\system32\Win3.exe NSIS: infected - 1 skipped
Scan process completed.
Just to note, I have disabled my system restore feature.
Also, out of curiosity, is the directory "C:\Program Files\Aodws nt" of significance? Not really sure what it is, but it seems to have alot in it.
Sorry for the late reply on this one too, the scan took quite a while on this one so I left it running while I did some other stuff.
pskelley
2006-04-08, 14:02
Just to note, I have disabled my system restore feature.Please enable it, we believe if there is a major problem and we need System Restore, a bad one is better than none. I also close with instructions to clean the SR files. Since you turned it off (disabled), when you turn it back on anything bad that was in them will be gone.
The only way we can tell if the fill you killboxed is gone is with a HJT log.
Let's address the Kaspersky results and then run another to make sure the Kaspersky scan is clean.
Don't worry about the time, I am in Florida, EST and did not see it until the morning anyway
You should be able to delete this stuff in normal mode, none of it is running:
C:\Documents and Settings\Rol\.housecall\Quarantine\ <<< delete the entire contents of the folder in red...NOT THE FOLDER
C:\Program Files\Aodws nt\Cache\ <<< I can find no information about Aodws nt but for now, delete the contents of the folder in red. While you are there, see what you can find about the Aodws nt. Can you right click and choose properties?
C:\WINDOWS\system32\drsmartload482a.exe Infected: Trojan-Downloader.Win32.Adload.af skipped
C:\WINDOWS\system32\dvdsrv32.exe Infected: Trojan.Win32.Crypt.t skipped
C:\WINDOWS\system32\Win3.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\WINDOWS\system32\Win3.exe NSIS: infected - 1 skipped
drsmartload482a.exe <<< bad
dvdsrv32.exe <<< no google, let's delete it
Win3.exe <<< these two are showing possible association with: http://209.167.114.38/support/TechSupport/TSBs/100/tsb0171.htm <<< do you have such a printer.
I would say to delete them both, Kaspersky is showing them as infected.
You can scan them if you wish:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
Once this is done run another Kaspersky scan which should be clean, post that and a HJT log and let's hope that does it:)
Thanks
vxmorpheusxv
2006-04-09, 10:28
Deleted all the files that you mentioned without any trouble.
I also deleted the contents of Aodws nt, though there were QUITE a few (36,000 about), took up quite some space. Deleting them didn't seem to have an effect, I'm not quite sure what went on there :scratch:
I ran the kaspersky online scan, here are the results:
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, April 09, 2006 4:22:50 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 9/04/2006
Kaspersky Anti-Virus database records: 187045
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 104027
Number of viruses found: 13
Number of infected objects: 30
Number of suspicious objects: 0
Duration of the scan process: 01:38:19
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Rol\Desktop\ccsetup128.exe/stream/data0006 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Documents and Settings\Rol\Desktop\ccsetup128.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Documents and Settings\Rol\Desktop\ccsetup128.exe NSIS: infected - 2 skipped
C:\RECYCLER\S-1-5-21-583907252-1957994488-839522115-1003\Dc10.bac_a03576/data.rar/eee2.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.k skipped
C:\RECYCLER\S-1-5-21-583907252-1957994488-839522115-1003\Dc10.bac_a03576/data.rar Infected: not-a-virus:AdWare.Win32.MediaMotor.k skipped
C:\RECYCLER\S-1-5-21-583907252-1957994488-839522115-1003\Dc10.bac_a03576 RarSFX: infected - 2 skipped
C:\RECYCLER\S-1-5-21-583907252-1957994488-839522115-1003\Dc10.bac_a03576 CryptFF.b: infected - 2 skipped
C:\RECYCLER\S-1-5-21-583907252-1957994488-839522115-1003\Dc11.bac_a03576 Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\RECYCLER\S-1-5-21-583907252-1957994488-839522115-1003\Dc12.bac_a03576 Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\RECYCLER\S-1-5-21-583907252-1957994488-839522115-1003\Dc13.bac_a03576 Infected: Trojan-Downloader.Win32.VB.zg skipped
C:\RECYCLER\S-1-5-21-583907252-1957994488-839522115-1003\Dc14.bac_a01216/elite.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.h skipped
C:\RECYCLER\S-1-5-21-583907252-1957994488-839522115-1003\Dc14.bac_a01216 CAB: infected - 1 skipped
C:\RECYCLER\S-1-5-21-583907252-1957994488-839522115-1003\Dc14.bac_a01216 CryptFF.b: infected - 1 skipped
C:\RECYCLER\S-1-5-21-583907252-1957994488-839522115-1003\Dc15.bac_a03576/elite.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.h skipped
C:\RECYCLER\S-1-5-21-583907252-1957994488-839522115-1003\Dc15.bac_a03576 CAB: infected - 1 skipped
C:\RECYCLER\S-1-5-21-583907252-1957994488-839522115-1003\Dc15.bac_a03576 CryptFF.b: infected - 1 skipped
C:\RECYCLER\S-1-5-21-583907252-1957994488-839522115-1003\Dc16.bac_a03576 Infected: Trojan.Win32.VB.ali skipped
C:\RECYCLER\S-1-5-21-583907252-1957994488-839522115-1003\Dc17.bac_a03576 Infected: Trojan-Downloader.Win32.Adload.ae skipped
C:\RECYCLER\S-1-5-21-583907252-1957994488-839522115-1003\Dc18.bac_a03576 Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\RECYCLER\S-1-5-21-583907252-1957994488-839522115-1003\Dc19.bac_a03576/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\RECYCLER\S-1-5-21-583907252-1957994488-839522115-1003\Dc19.bac_a03576 NSIS: infected - 1 skipped
C:\RECYCLER\S-1-5-21-583907252-1957994488-839522115-1003\Dc19.bac_a03576 CryptFF.b: infected - 1 skipped
C:\RECYCLER\S-1-5-21-583907252-1957994488-839522115-1003\Dc2.bac_a03576 Infected: Trojan-Downloader.Win32.Small.cpu skipped
C:\RECYCLER\S-1-5-21-583907252-1957994488-839522115-1003\Dc3.bac_a03576 Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\RECYCLER\S-1-5-21-583907252-1957994488-839522115-1003\Dc4.bac_a03576 Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\RECYCLER\S-1-5-21-583907252-1957994488-839522115-1003\Dc5.bac_a03576 Infected: Trojan.Win32.VB.tg skipped
C:\RECYCLER\S-1-5-21-583907252-1957994488-839522115-1003\Dc6.bac_a03576 Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\RECYCLER\S-1-5-21-583907252-1957994488-839522115-1003\Dc7.bac_a03576 Infected: Trojan-Downloader.Win32.Agent.agw skipped
C:\RECYCLER\S-1-5-21-583907252-1957994488-839522115-1003\Dc8.bac_a03576 Infected: Trojan-Downloader.Win32.Adload.ai skipped
C:\RECYCLER\S-1-5-21-583907252-1957994488-839522115-1003\Dc9.bac_a03576 Infected: Trojan-Downloader.Win32.VB.zg skipped
Scan process completed.
After I did I emptied my recycling bin, which I had apparently forgotten to do eh (I usually shift delete).
I also re-enabled system restore as your requested.
Here's a fresh HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 4:27:00 AM, on 4/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [fbrtu] C:\WINDOWS\system32\jngbtv.exe reg_run
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110674607593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17950B61-021F-4465-B6B5-673A880F5203}: NameServer = 167.206.3.205,167.206.3.139
O17 - HKLM\System\CCS\Services\Tcpip\..\{4300BF9B-182C-4572-8D8A-45ABB009709F}: NameServer = 167.206.3.205,167.206.3.139
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: app_filter - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Unknown owner - C:\Program Files\Norton Internet Security\ISSVC.exe (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (file missing)
I looks as though the jngbtv.exe is still showing up in the hjt :(. Everything appears to be running fine though, aside from that. I can't seem to actually find the file jngbtv.exe (I have show hidden files and folders etc. enabled), though as shown above there's a registry entry or something pertaining to it.
pskelley
2006-04-09, 13:49
Hold all of this post, I checked with one of our experts here and it seems this is a new variety of the Qoologic trojan as ewido showed us. I will post the instructions in the next post.
Good morning, I see you said this:
I looks as though the jngbtv.exe is still showing up in the hjt
Unless you quit, we will continue working on that item until we identify or remove it. I am still not 100% sure it is bad, since we can't find it to look at it, but I have never seen a valid file act like this. Let's look at Kaspersky and the HJT log now.
You mentioned you enabled System Restore, that is good. We may want to do it again just in case this item we are trying to remove is also backed up in SR, but not until it is gone.
The first three items in Kaspersky look like something CCleaner removed that Kaspersky is seeing as not good. That will go when you delete that backup which you may do whenever you are comfortable CCleaner removed nothing needed from the registry. I personally have never had to restore anything CCleaner removed, but it is still best to have the backup. The balance of those went when you emptied the Recycle Bin.
Recap: I have googled this every way I can looking for information, we can't locate it and I think it is running from the registry: jngbtv.exe reg_run
Let me say this to be sure...it is important that you make a backup if you do anything in the registry.
Having said that I am going to try a few things I have not tried before. If the first one does not work, I will give you a registry cleaner and you should be able to locate the item and remove it.
1) Download this tool: ATF Cleaner
Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Now open HJT and choose "Open the Misc Tools section", then "Delete a file on reboot" copy/paste C:\WINDOWS\system32\jngbtv.exe in the "file Name" box. Just before you reboot to see what happens, follow the instructions with ATF-Cleaner and clean everything. Keep in mind cleaning Prefetch slows you until Windows repopulates it and the trial of ewido is also slowing you down, that needs to be uninstalled or turned off. (I keep it and run it manually, free updates are available)
Once you have cleaned with ATF-Cleaner, allow the system to reboot and see what happen. If the item is still there, then try to locate and delete it from the registry with this free Registry Cleaner.
2) http://www.hoverdesk.net/freeware.htm
Backup Registry:
Backup your Registry...
- Press "CTRL - ALT - DEL" keys all at the same time to start "Task Manager"
- In the Task Manager window click on "File", then from the drop-down menu select "New Task (Run...)"
- In the "Create New Task" window enter\type "regedit" (without quotes)
- Once Regedit opens click on the FILE menu and select Export
- Save the file as backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL
RegSeeker canned:
I recommend you download RegSeeker. Extract it to it's own folder,
open and double click RegSeeker.exe to start the program.
Maximize the window and click clean registry. Check all sections and click OK.
When the scan is complete, verify the backup box in lower left corner is checked
and click the select all button, then select all again. Then right click within
the search results and select delete. Run it again and again, deleting everything
it finds until it finds nothing. Reboot and make sure your programs are working properly,
control panel and add/remove programs windows open, etc (basically just do a quick check of everything).
In the event anything was 'broken', you can open RegSeeker, click backups and double click
any/all files to put the information back. A reboot may be required for the effects to be seen.
Reboot When done.
Keep me posted...Phil
pskelley
2006-04-09, 15:05
Please follow these instructions:
Thanks to LonnyRJones and any others who helped with this fix. Thanks also to illukka for his guidance.
Download Brute Force Uninstaller to your C:\
Unzip it to a folder of its own (C:\BFU). So BFU should be on your root. In most cases this is C:\
Download qoofix.bat (rightclick on this link and choose save as)
Place qoofix.bat in your C:\BFU - folder. (Important!)
Doubleclick qooFix.bat, Close all browsers and explorer folders.
Choose option 1 (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
After the PC has restarted please post another hijackthis log.
Thanks...Phil
How is it going vxmorpheusxv
vxmorpheusxv
2006-04-16, 09:10
Hey I'm still here, sorry I haven't responded back, haven't gotten a chance to do all the things listed above. Need to grab some sleep at the moment (3:08, need to wake early tomorrow), but I'm gonna try to run through all (or some at least) of the stuff tomorrow morning.
Sorry for not replying sooner, I really do very much appreciate all the help, sorry again in not being more fastidious in response to your requests.
Hopefully replying tomorrow morning.
Closing this topic to prevent others with similar issues posting in it.
I will not archive it yet, please pm me to re-open.