View Full Version : Can't Get these tricky pop-ups
Hey I have tried running spybot many times and with the lastest updates and running it at the system startup but i just cant get these popups to go away. It will be ok for a day or so after I scan then all of the sudden they come back and get worse the long I wait. So heres my hijackthis log file. Also it always says that I cant remove this command service thing during the scan but I dunno if that is linked to the problem.
The problem is similar to what this other guy (http://forums.spybot.info/showthread.php?t=6654) seems to have with the item I can't remove when I scan.
pskelley
2006-09-14, 14:41
Welcome to the forum, since you have not followed many of the instructions? I will post these links for you:
http://forums.spybot.info/showthread.php?t=425
http://forums.spybot.info/showthread.php?t=288
Click that, save the log somewhere, and copy/paste into your own new topic
a) The HJT log
b) The on-line Anti Virus scan log/report
Please do not bump your topic. (posting such as hello, anyone there, bump, nudge etc)
Doing so could actually delay a response as Helpers may think you are already being assisted because of the post count.
Thanks
Alright I did windows update and that didnt help. here is my hijackthis log that I just did. BTW I wasnt just bumping my post man I was trying to help so please don't acuse me of that. I wanted to edit my first post but I couldnt figure out how to do it so I posted ok.
Logfile of HijackThis v1.99.1
Scan saved at 8:23:00 PM, on 9/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\csrss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINXP\SM1BG.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINXP\system32\nvsvc32.exe
C:\WINXP\system32\RunDLL32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINXP\system32\CTHELPER.EXE
C:\WINXP\System32\svchost.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\WINXP\thiselt.exe
C:\WINXP\system32\wdfmgr.exe
C:\Program Files\Common Files\{68B21C28-0892-1033-1122-040618040001}\Update.exe
C:\Program Files\Common Files\??sembly\s?rvices.exe
E:\steam\steam.exe
C:\PROGRA~1\COMMON~1\FNTS~1\svchost.exe
C:\PROGRA~1\COMMON~1\ofzf\ofzfm.exe
C:\PROGRA~1\COMMON~1\ofzf\ofzfa.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINXP\System32\alg.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\iTunes\iTunes.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\WINXP\TEMP\win67D.tmp.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jeff B\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\Safety Bar.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINXP\system32\WinNB58.dll
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [UpdReg] C:\WINXP\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINXP\SM1BG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ulutil2.dll,SetWriteBack
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINXP\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [pop06apelt] C:\WINXP\thiselt.exe
O4 - HKLM\..\Run: [tlv63603] RUNDLL32.EXE w0837968.dll,n 004635ff000000020837968
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Vbsfeqrv] C:\Program Files\Common Files\??sembly\s?rvices.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Steam] "e:\steam\steam.exe" -silent
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Hucr] "C:\PROGRA~1\COMMON~1\FNTS~1\svchost.exe" -vt yax
O4 - HKCU\..\Run: [ofzf] C:\PROGRA~1\COMMON~1\ofzf\ofzfm.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: repairs303169590.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
pskelley
2006-09-15, 11:07
Let's start off by making sure you understand that we are volunteers, anything I tell you is for your benefit. You should also be able to edit your posts.
http://forums.spybot.info/faq.php?faq=vb_read_and_post#faq_vb_edit_posts http://forums.spybot.info/faq.php?faq=vb_faq#faq_vb_user_maintain
Some of the infections that you have act as magnets to download other malware, some of what you have can also compromise your online security. I would strongly suggest that except for posting here that you stay off the internet until we have you all cleaned up.
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. If the log is large You might need to post half in one reply half in another.
Post a new HJT log with the ComboFix log.
Thanks
Alright I ran that and it looks good so far. Heres my log files:
Scan saved at 8:37:15 PM, on 9/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINXP\system32\nvsvc32.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINXP\SM1BG.EXE
C:\WINXP\system32\RunDLL32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINXP\system32\CTHELPER.EXE
C:\WINXP\system32\wuauclt.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
E:\steam\steam.exe
C:\PROGRA~1\COMMON~1\ofzf\ofzfm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\COMMON~1\ofzf\ofzfa.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jeff B\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [UpdReg] C:\WINXP\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINXP\SM1BG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ulutil2.dll,SetWriteBack
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINXP\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [tlv63603] RUNDLL32.EXE w0837968.dll,n 004635ff000000020837968
O4 - HKCU\..\Run: [Vbsfeqrv] C:\Program Files\Common Files\??sembly\s?rvices.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Steam] "e:\steam\steam.exe" -silent
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Hucr] "C:\PROGRA~1\COMMON~1\FNTS~1\svchost.exe" -vt yax
O4 - HKCU\..\Run: [ofzf] C:\PROGRA~1\COMMON~1\ofzf\ofzfm.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
Jeff B - 06-09-15 20:30:00.57 Service Pack 2
ComboFix 06.09.14 - Running from: C:\Documents and Settings\Jeff B\Desktop
((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINXP\system32\repairs303169590.dll
C:\Documents and Settings\Jeff B\Application Data\Sskknwrd.dll
C:\WINXP\system32\bk.exe
C:\Program Files\surfsidekick 3\Ssk.exe
C:\Program Files\surfsidekick 3\SskBho.dll
C:\Program Files\surfsidekick 3\SskCore.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINXP\system32\issearch.exe
C:\WINXP\system32\WinNB58.dll
C:\WINXP\thiselt.exe
C:\WINXP\system32\ixt1.dll
C:\WINXP\system32\ixt2.dll
C:\Program Files\Safety Bar
C:\WINXP\system32\components
C:\Program Files\Common Files\{68B21C28-0892-1033-1122-040618040001}
C:\WINXP\SmVmZiBCb2Jyb3dza2k
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\Documents and Settings\Jeff B\Application Data\ICROSO~1
C:\QooBox\Purity\Documents and Settings\Jeff B\My Documents\CROSOF~1.NET
C:\QooBox\Purity\Documents and Settings\Jeff B\My Documents\MCROSO~1.NET
C:\QooBox\Purity\Program Files\YSTEM3~1
C:\QooBox\Purity\Program Files\Common Files\FNTS~1
C:\QooBox\Purity\Program Files\Common Files\SEMBLY~1
C:\QooBox\Purity\Program Files\Common Files\FNTS~1\FNTS~1
C:\QooBox\Purity\Program Files\Common Files\FNTS~1\svchost.exe
C:\QooBox\Purity\Program Files\Common Files\SEMBLY~1\s?rvices.exe
C:\QooBox\Purity\WINXP\system32\PPPATC~1
((((((((((((((((((((((((((((((( Files Created from 2006-08-15 to 2006-09-15 ))))))))))))))))))))))))))))))))))
2006-09-15 20:26 86,068 --a------ C:\WINXP\system32\faumooaj.dll
2006-09-13 21:23 30,208 --a------ C:\WINXP\ss1205.exe
2006-09-13 21:23 184,939 --a------ C:\WINXP\YazzleBundle-1119.exe
2006-09-13 21:22 2,560 --a------ C:\WINXP\ac3_0002.exe
2006-09-13 21:22 139,264 --a------ C:\WINXP\MirarSetup_876057.exe
2006-09-07 17:59 126,976 --a------ C:\WINXP\system32\elpdrpug.dll
2006-08-21 18:01 13,844 --a------ C:\WINXP\system32\argnswmj.exe
2006-08-19 21:16 569,344 -ra------ C:\WINXP\system32\imagr5.dll
2006-08-19 21:16 544,768 -ra------ C:\WINXP\system32\imagx5.dll
2006-08-19 21:16 38,912 -ra------ C:\WINXP\system32\picn20.dll
2006-08-19 21:16 283,920 -ra------ C:\WINXP\system32\ImagXpr5.dll
2006-08-19 21:16 155,648 -ra------ C:\WINXP\system32\NeroCheck.exe
2006-08-17 19:46 13,844 --a------ C:\WINXP\system32\rlyvbnlj.exe
2006-08-16 10:09 12,308 --a------ C:\WINXP\system32\qpkpgodo.exe
2006-08-16 10:07 1 --a------ C:\WINXP\system32\au3305adc.dll
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-09-15 20:31 -------- d-------- C:\Program Files\Common Files
2006-09-15 20:29 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-15 20:26 978690 ---hs---- C:\WINXP\system32\rstwa.bak2
2006-09-14 20:43 -------- d-------- C:\Program Files\SpywareBlaster
2006-09-13 21:23 32178 ---hs---- C:\Program Files\Common Files\Yazzle1119OinUninstaller.exe
2006-09-13 19:56 -------- d-------- C:\Program Files\PrintView
2006-09-13 19:43 -------- d-------- C:\Program Files\Safer Networking
2006-09-10 23:05 -------- d-------- C:\Program Files\Trillian
2006-09-08 10:15 157184 ---hs---- C:\Program Files\Common Files\Yazzle1119OinAdmin.exe
2006-09-07 17:59 2 --a------ C:\WINXP\system32\wnscptr.exe
2006-09-06 20:24 -------- d-------- C:\Program Files\Common Files\ofzf
2006-09-03 22:23 -------- d-------- C:\Program Files\CCleaner
2006-09-02 23:44 -------- d-------- C:\Program Files\Winamp
2006-08-28 21:48 -------- d-------- C:\Program Files\Apollo DVD Copy
2006-08-27 18:53 -------- d-------- C:\Program Files\DVD Decrypter
2006-08-27 18:47 -------- d-------- C:\Documents and Settings\Jeff B\Application Data\dvdcss
2006-08-22 18:01 -------- d-------- C:\Program Files\Java
2006-08-21 05:21 16896 --a------ C:\WINXP\system32\fltlib.dll
2006-08-21 02:14 23040 --a------ C:\WINXP\system32\fltmc.exe
2006-08-21 02:14 128896 --------- C:\WINXP\system32\drivers\fltmgr.sys
2006-08-19 21:17 -------- d-------- C:\Documents and Settings\Jeff B\Application Data\Ahead
2006-08-19 21:16 -------- d-------- C:\Program Files\Common Files\Ahead
2006-08-19 21:16 -------- d-------- C:\Program Files\Ahead
2006-08-16 10:20 -------- d-------- C:\Program Files\DVD Shrink
2006-08-13 23:19 -------- d-------- C:\Program Files\Internet Explorer
2006-08-13 21:53 573492 ---hs---- C:\WINXP\system32\awtsr.dll
2006-08-13 21:53 307523 ---hs---- C:\WINXP\system32\rstwa.bak1
2006-08-13 21:46 40973 ---hs---- C:\WINXP\system32\ddcywtq.dll
2006-08-13 21:46 39424 --a------ C:\WINXP\YAXUninst.exe
2006-08-13 21:46 18944 --a------ C:\WINXP\system32\winzzc32.dll
2006-08-13 21:46 155136 --a------ C:\WINXP\system32\oins.exe
2006-08-13 21:46 13312 --a------ C:\WINXP\system32\bbf1f537.exe
2006-08-07 21:22 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-07 21:21 -------- d-------- C:\Program Files\Common Files\Adobe
2006-08-05 12:45 -------- d-------- C:\Program Files\Future Systems Solutions
2006-08-03 00:42 -------- d-------- C:\Program Files\WC3Banlist
2006-08-03 00:42 -------- d-------- C:\Program Files\Samsung
2006-07-30 18:41 -------- d-------- C:\Program Files\Codemasters
2006-07-30 18:38 223128 --a------ C:\WINXP\system32\drivers\dtscsi.sys
2006-07-30 18:38 -------- d-------- C:\Program Files\DAEMON Tools
2006-07-30 18:26 -------- d-------- C:\Documents and Settings\Jeff B\Application Data\AdobeUM
2006-07-30 18:16 -------- d-------- C:\Program Files\XBCD
2006-07-30 17:25 96256 --a------ C:\WINXP\system32\drivers\sptd8253.sys
2006-07-30 17:25 642560 --a------ C:\WINXP\system32\drivers\sptd.sys
2006-07-21 01:24 72704 --a------ C:\WINXP\system32\hlink.dll
2006-06-21 22:06 69120 --a------ C:\WINXP\system32\ciodm.dll
2006-06-21 22:06 1435648 --a------ C:\WINXP\system32\query.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Vbsfeqrv"="C:\\Program Files\\Common Files\\??sembly\\s?rvices.exe"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"
"Steam"="\"e:\\steam\\steam.exe\" -silent"
"SrvShield32"=""
"RealPlayer"="\"C:\\Program Files\\Real\\RealOne Player\\realplay.exe\" /RunUPGToolCommandReBoot"
"Hucr"="\"C:\\PROGRA~1\\COMMON~1\\FNTS~1\\svchost.exe\" -vt yax"
"ofzf"="C:\\PROGRA~1\\COMMON~1\\ofzf\\ofzfm.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTStartup"="\"C:\\Program Files\\Creative\\Splash Screen\\CTEaxSpl.EXE\" /run"
"UpdReg"="C:\\WINXP\\UpdReg.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"SM1BG"="C:\\WINXP\\SM1BG.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PtiuPbmd"="Rundll32.exe ulutil2.dll,SetWriteBack"
"nwiz"="nwiz.exe /install"
"NVMixerTray"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINXP\\system32\\NvCpl.dll,NvStartup"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2\\Surround Mixer\\CTSysVol.exe"
"CTHelper"="CTHELPER.EXE"
"NeroCheck"="C:\\WINXP\\system32\\NeroCheck.exe"
"PVModule"="C:\\PROGRA~1\\PRINTV~1\\pvmodule.exe"
"tlv63603"="RUNDLL32.EXE w0837968.dll,n 004635ff000000020837968"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsr
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzzc32
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
Completion time: Fri 09/15/2006 20:34:36.26
ComboFix.txt
pskelley
2006-09-16, 13:48
No biggie, but you cut off the first line of the HJT log, use this method. Notepad > Edit > Select All > copy/paste hightlited information.
1) Move HJT from the Desktop for safety. I prefer C:\HJT\HijackThis.exe, if you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm
2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
4) TeaTimer will block the changes we must make, turn it off until you are finished:
http://russelltexas.com/malware/teatimer.htm
5) These items are probably bad, please use these free online scanners to validate that fact. Do you know what they are?
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\PROGRA~1\COMMON~1\ofzf\ofzfm.exe
C:\PROGRA~1\COMMON~1\ofzf\ofzfa.exe
Tools: http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
Post the results for me to view.
6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [tlv63603] RUNDLL32.EXE w0837968.dll,n 004635ff000000020837968
O4 - HKCU\..\Run: [Vbsfeqrv] C:\Program Files\Common Files\??sembly\s?rvices.exe
O4 - HKCU\..\Run: [Hucr] "C:\PROGRA~1\COMMON~1\FNTS~1\svchost.exe" -vt yax G
O4 - HKCU\..\Run: [ofzf] C:\PROGRA~1\COMMON~1\ofzf\ofzfm.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1123
Close all programs but HJT and all browser windows, then click on "Fix Checked"
7) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\PROGRAM FILES~1\PRINTV~1\ <<< delete that folder
C:\Program Files\Common Files\??sembly <<< delete that folder
C:\PROGRAM FILES~1\COMMON~1\FNTS~1\ <<< delete that folder
C:\PROGRAM FILES~1\COMMON~1\ofzf\ <<< delete that folder
C:\Program Files\Common Files\Yazzle1119OinUninstaller.exe <<< Delete that file
C:\Program Files\Common Files\Yazzle1119OinAdmin.exe <<< delete that file
(Delete these files, do it in safe mode if necessary. Be careful)
C:\WINXP\ss1205.exe
C:\WINXP\YazzleBundle-1119.exe
C:\WINXP\ac3_0002.exe
C:\WINXP\MirarSetup_876057.exe
C:\WINXP\system32\faumooaj.dll
C:\WINXP\system32\elpdrpug.dll
C:\WINXP\system32\argnswmj.exe
C:\WINXP\system32\rlyvbnlj.exe
C:\WINXP\system32\qpkpgodo.exe
C:\WINXP\system32\au3305adc.dll
C:\WINXP\system32\rstwa.bak1
C:\WINXP\system32\rstwa.bak2
C:\WINXP\system32\wnscptr.exe
C:\WINXP\system32\awtsr.dll
C:\WINXP\system32\ddcywtq.dll
C:\WINXP\YAXUninst.exe
C:\WINXP\system32\winzzc32.dll
C:\WINXP\system32\oins.exe
C:\WINXP\system32\bbf1f537.exe
I would use Killbox, but I am still learning this tool and I want these to stay in the recycle bin for a few days. I am most sure they are all bad, but wish to be positive. After a few days you can empty the bin. I am interested in where you got all of this junk??
8) Run ATF Cleaner (DO NOT empty the recycle bin this time, uncheck it)
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Post a new HJT log and let me know how the computer is running.
Thanks
1. Did that
2. did that
3. got it
4. off
5. ofzfm.exe - infected by Trojan-Downloader.Win32.TSUpdate.n
pvmodule.exe didnt show viruses but I have never seen it before so imm get rid of it probably
6. Ok I deleted everything im gonna go do safe mode right now to finish off those last files and try to delete the last ozfm file which says it write protected.
sorry im retarded and still cant figure out how to edit my posts on your forums. Anyways I deleted the rest of those files except: C:\WINXP\system32\winzzc32.dll - error cant read file or something
C:\WINXP\system32\awtsr.dl - file in use
Wouldnt let me delete them even in safe mode. I did get that ozfm thing tho. I think that was the heart of my problem and the program that was downloading all this junk. It had 6 exe files which would roster when I try to close one of the others( before I deleted them of course). I still saw a activeX couldnt be run window pop up for internet explorer which I dont use so I think maybe I still have something left.
I believe I got infected when I downloaded some freeware file or something. Anyways gonna set all of my security settings to high and run teatimer from now on.
Also I noticed this program which seems suspicous: C:\WINXP\TEMP\win3.tmp.exe
What is it?
HJT log
Logfile of HijackThis v1.99.1
Scan saved at 12:15:00 PM, on 9/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINXP\system32\nvsvc32.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINXP\SM1BG.EXE
C:\WINXP\system32\RunDLL32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINXP\system32\CTHELPER.EXE
C:\Program Files\iPod\bin\iPodService.exe
E:\steam\steam.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINXP\TEMP\win3.tmp.exe
C:\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [UpdReg] C:\WINXP\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINXP\SM1BG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ulutil2.dll,SetWriteBack
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINXP\system32\NeroCheck.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Steam] "e:\steam\steam.exe" -silent
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
pskelley
2006-09-16, 21:39
Thanks, we are making good progress now, this: C:\WINXP\TEMP\win3.tmp.exewin3.tmp.exe is new, but cleaning out all of the junk might have made it appear in the log? I hope you are not picking up infections as we go, the junk does attract stuff, that is why I usually ask that the computer stay offline until clean.
You will probably need to do this in safe mode: http://www.bleepingcomputer.com/tutorials/tutorial61.html
I am surprised ATF-Cleaner did not get this one: C:\WINXP\TEMP\ <<< delete the total contents of that folder. There may be a few files that stay but they will be from when the computer was started, very old.
C:\WINXP\system32\winzzc32.dll <<< this is bad and must be deleted. It might also be C:\Windows\System32\winzzc32.dll <<< will not be but one of those files
C:\WINXP\system32\awtsr.dll <<< trojan, will not be runing in safe mode, must be deleted.
Once those are removed, please run the computer a bit and let me know how it is running.
This was a severely infected machine
Thanks
Even when im in safemode or am sure that these files arnt being used they still cant be deleted. I copied one of them to a different location and it then its copy cant be deleted either. Its got some sort of code that tricks windows into think they are in use all of the time. Is there a program that will delete these files?
pskelley
2006-09-17, 23:08
Thanks for the feedback, I will start with this tool, please let me know how it goes. Delete the files you know must go.
How to use the Delete on Reboot tool http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: (copy and paste the complete pathway to the tool)
and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now.
Thanks
New problem. When I go into HJT and try to to do what you said it closes down whne I click the delete file on reboot button.
pskelley
2006-09-17, 23:22
Jeff...click the link I supplied and read the instructions. If you do it correctly, it will reboot. If that does not work, and this is nothing to rush, take your time, read the instructions, make sure you know what you are doing and what files you want to kill before you even start.
Here are the instructions and a link to Killbox if the HJT tool does not kill them. Since they do not appear in the log, the only way you will know if they are gone is to search for them. Make sure hidden files and folders is enabled or you will never see them.
http://forum.malwareremoval.com/viewtopic.php?t=320
Thanks
Hey hey my man. Its seems that this nasty thing had a defense program running that would stop HJT from opening that window. It was that win.tmp thing which came back after I rebooted. Once I killed that program using procexp.exe I was able to open the window in HJT and I deleted those nasty things. I think im cured but heres my latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 2:34:19 PM, on 9/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\Explorer.EXE
C:\WINXP\SM1BG.EXE
C:\WINXP\system32\RunDLL32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINXP\system32\CTHELPER.EXE
E:\steam\steam.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINXP\system32\nvsvc32.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINXP\System32\svchost.exe
C:\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {342A297C-CD2B-4AEC-92B9-75C1AECC27EB} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {76D56AEB-5B22-4C8B-B7C2-84827788A20C} - C:\WINXP\system32\awtsr.dll (file missing)
O2 - BHO: (no name) - {87DCC0FA-7E3D-71E0-1205-2DF07DBC6BCE} - C:\WINXP\system32\elpdrpug.dll (file missing)
O2 - BHO: (no name) - {BA62C3BF-E4C4-4A02-8659-FD58D20B88C0} - (no file)
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [UpdReg] C:\WINXP\UpdReg.EXE
O4 - HKLM\..\Run: [SM1BG] C:\WINXP\SM1BG.EXE
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ulutil2.dll,SetWriteBack
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINXP\system32\NeroCheck.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Steam] "e:\steam\steam.exe" -silent
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} -
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: awtsr - C:\WINXP\system32\awtsr.dll (file missing)
O20 - Winlogon Notify: winzzc32 - winzzc32.dll (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
pskelley
2006-09-17, 23:54
Looks like killing one of those files brought some junk to view we had not seen before. You may still have these tools, follow these directions. These hackers are getting better and better at hiding stuff from us. Looks like all of this is dead.
Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {342A297C-CD2B-4AEC-92B9-75C1AECC27EB} - (no file)
O2 - BHO: (no name) - {76D56AEB-5B22-4C8B-B7C2-84827788A20C} - C:\WINXP\system32\awtsr.dll (file missing)
O2 - BHO: (no name) - {87DCC0FA-7E3D-71E0-1205-2DF07DBC6BCE} - C:\WINXP\system32\elpdrpug.dll (file missing)
O2 - BHO: (no name) - {BA62C3BF-E4C4-4A02-8659-FD58D20B88C0} - (no file)
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} -
O20 - Winlogon Notify: awtsr - C:\WINXP\system32\awtsr.dll (file missing)
O20 - Winlogon Notify: winzzc32 - winzzc32.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
It would not hurt to allow ewido to take a look if you have the time. Delete anything it locates unless you know it is not bad.
First download ewido anti-spyware from HERE (http://www.ewido.net/en/download/) and save that file to your desktop.
This is a 30 day trial of the program
Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.
Restart the computer and post the ewido scan results, a new HJT log and let me know of any problems now.
Thanks
Logfile of HijackThis v1.99.1
Scan saved at 4:00:10 PM, on 9/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINXP\system32\nvsvc32.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\Explorer.EXE
C:\WINXP\SM1BG.EXE
C:\WINXP\system32\RunDLL32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINXP\system32\CTHELPER.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINXP\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [UpdReg] C:\WINXP\UpdReg.EXE
O4 - HKLM\..\Run: [SM1BG] C:\WINXP\SM1BG.EXE
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ulutil2.dll,SetWriteBack
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 3:49:38 PM 9/17/2006
+ Scan result:
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{052b12f7-86fa-4921-8482-26c42316b522} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Safety Bar -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1844237615-746137067-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{052B12F7-86FA-4921-8482-26C42316B522} -> Adware.Generic : Cleaned with backup (quarantined).
C:\WINXP\em.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\unebmm350 -> Adware.MoneyMaker : Cleaned with backup (quarantined).
C:\Program Files\DAEMON Tools\SetupDTSB.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\ATTO\bench32.exe -> Backdoor.Nuclear.31 : Cleaned with backup (quarantined).
C:\Documents and Settings\Jeff B\.jpi_cache\jar\1.0\archive.jar-487b52a0-6a1620f7.zip/BlackBox.class -> Dropper.Beyond.g : Cleaned with backup (quarantined).
F:\Documents and Settings\Me\.jpi_cache\jar\1.0\archive.jar-1803745e-422aa39d.zip/A.class -> Not-A-Virus.Exploit.Java.ByteVerify : Cleaned with backup (quarantined).
C:\WINXP\system32\ixt0.dll_tobedeleted -> Not-A-Virus.Hoax.Win32.Renos.en : Cleaned with backup (quarantined).
:mozilla.26:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.213:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.24:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.25:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.260:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.27:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.28:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.29:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.30:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.31:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.32:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.33:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.34:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.35:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.36:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.37:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.38:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.39:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.40:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.41:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.42:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.43:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.44:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.45:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.460:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.46:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.47:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.483:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.48:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.49:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.50:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.51:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.527:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.52:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.53:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.54:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.551:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.55:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.56:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.57:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.587:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.58:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.59:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.60:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.61:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.62:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.63:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.64:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.65:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.66:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Me\Cookies\me@112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.107:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.108:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.109:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.110:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
:mozilla.851:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
:mozilla.852:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
:mozilla.853:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
C:\Documents and Settings\Me\Cookies\me@adorigin[1].txt -> TrackingCookie.Adorigin : Cleaned with backup (quarantined).
:mozilla.112:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.839:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.840:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.841:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.842:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.843:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.757:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup (quarantined).
:mozilla.758:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup (quarantined).
:mozilla.35:C:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.35:F:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.785:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup (quarantined).
:mozilla.786:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup (quarantined).
:mozilla.787:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup (quarantined).
:mozilla.12:C:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Centrport : Cleaned with backup (quarantined).
:mozilla.12:F:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Centrport : Cleaned with backup (quarantined).
:mozilla.211:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned with backup (quarantined).
C:\Documents and Settings\Me\Cookies\me@cz3.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.218:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.219:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Me\Cookies\me@com[2].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.227:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
:mozilla.228:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
:mozilla.229:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
:mozilla.230:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
:mozilla.762:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Cqcounter : Cleaned with backup (quarantined).
:mozilla.23:C:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.23:F:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.267:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.268:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.269:C:\Documents and Settings\Jeff B\Application
Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.111:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.143:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.144:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.145:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.146:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.782:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup (quarantined).
:mozilla.783:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup (quarantined).
:mozilla.959:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.960:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.961:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.962:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.963:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.964:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.28:C:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.28:F:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.29:C:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.29:F:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.30:C:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.30:F:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.31:C:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.31:F:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.32:C:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.32:F:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.854:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.855:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.856:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.857:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.858:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.859:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.863:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.864:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.865:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.866:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.867:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.868:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.869:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.870:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.871:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.872:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.17:C:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
:mozilla.17:F:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
:mozilla.8:C:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
:mozilla.8:F:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\Me\Cookies\me@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup (quarantined).
:mozilla.883:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup (quarantined).
:mozilla.884:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup (quarantined).
:mozilla.523:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.524:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.538:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.898:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Realtracker : Cleaned with backup (quarantined).
:mozilla.588:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
:mozilla.286:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.287:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.617:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.618:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.619:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.620:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.33:C:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Specificpop : Cleaned with backup (quarantined).
:mozilla.33:F:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Specificpop : Cleaned with backup (quarantined).
:mozilla.34:C:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Specificpop : Cleaned with backup (quarantined).
:mozilla.34:F:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Specificpop : Cleaned with backup (quarantined).
:mozilla.629:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Spylog : Cleaned with backup (quarantined).
:mozilla.630:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.631:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.632:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.633:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.634:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.635:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.636:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.637:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.638:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.639:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.640:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.641:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.642:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.643:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.644:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.645:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.646:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.647:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.648:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.649:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.650:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.651:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.652:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.653:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.654:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.655:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.670:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.671:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.672:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.688:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.689:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.690:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Trafic : Cleaned with backup (quarantined).
:mozilla.695:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.696:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.697:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.722:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
:mozilla.723:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
:mozilla.724:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
:mozilla.725:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
:mozilla.726:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
:mozilla.727:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
:mozilla.15:C:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
:mozilla.15:F:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
:mozilla.24:C:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
:mozilla.24:F:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
:mozilla.26:C:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
:mozilla.26:F:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
:mozilla.36:C:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
:mozilla.36:F:\Documents and Settings\Me\Application Data\Mozilla\Users50\default\fr7vup9s.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
:mozilla.755:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.765:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.766:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.767:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.768:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.769:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.759:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.760:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.761:C:\Documents and Settings\Jeff B\Application Data\Mozilla\Firefox\Profiles\3iargw48.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
::Report end
Wow thats a big log. It seems to be cleared but I will keep a close eye on it and will avoid entering personal information into the browers for a few weeks until I know its clear. I already had 1 credit card number stolen and i think it might be because of this...
pskelley
2006-09-18, 01:16
OK Jeff, the HJT log is clean, did you ever get around to telling me how this computer got this infected? One of the worse I have seen in a while.
There is no good reason to store all of those cookies. You need a few for passwords and sites that require them, but use this information to control them in Internet Explorer:
http://www.mvps.org/winhelp2002/cookies.htm
http://www.microsoft.com/windows/ie/using/howto/privacy/config.mspx
Firefox:
http://privacy.getnetwise.org/browsing/tools/firefox1/ffdisablecookies
http://www.mozilla.org/projects/security/pki/psm/help_21/using_priv_help.html
You also quarantined that junk in ewido, open the folder highlited in red and then the quarantine folder and delete all of that junk:
C:\Program Files\ewido anti-spyware 4.0\ <<< in there should be the quarantine folder.
I did not see any System Restore stuff, hope you do not have it turned off? A bad restore point is better that none. This information will get you clean files:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Safe surfing...tashi:) will close the topic in a few day.
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Glad we could help.