look2me/ guard.tmp/ command service etc

nearly done...

C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc125.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc13.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc132.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc406.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc42.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc446.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc57.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc100.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc145.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc249.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc294.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc327.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc35.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc357.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc452.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc489.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc523.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc154.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc193.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc234.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc27.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc81.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc64.txt -> TrackingCookie.Adbrite : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc381.txt -> TrackingCookie.Adbrite : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc76.txt -> TrackingCookie.Adbrite : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc58.txt -> TrackingCookie.Adbrite : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc68.txt -> TrackingCookie.Adrevolver : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc190.txt -> TrackingCookie.Adrevolver : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc473.txt -> TrackingCookie.Adrevolver : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc60.txt -> TrackingCookie.Adrevolver : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc3.txt -> TrackingCookie.Adtech : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc432.txt -> TrackingCookie.Adtech : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc75.txt -> TrackingCookie.Adtech : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc193.txt -> TrackingCookie.Adtech : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc239.txt -> TrackingCookie.Adtech : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc286.txt -> TrackingCookie.Adtech : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc347.txt -> TrackingCookie.Adtech : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc446.txt -> TrackingCookie.Adtech : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc474.txt -> TrackingCookie.Adtech : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc65.txt -> TrackingCookie.Adtech : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc79.txt -> TrackingCookie.Adtech : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc216.txt -> TrackingCookie.Adtech : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc61.txt -> TrackingCookie.Adtech : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc182.txt -> TrackingCookie.Adtrak : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc112.txt -> TrackingCookie.Adtrak : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc220.txt -> TrackingCookie.Adtrak : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc425.txt -> TrackingCookie.Adtrak : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc199.txt -> TrackingCookie.Adtrak : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc76.txt -> TrackingCookie.Advertising : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc194.txt -> TrackingCookie.Advertising : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc382.txt -> TrackingCookie.Advertising : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc80.txt -> TrackingCookie.Advertising : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc62.txt -> TrackingCookie.Advertising : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc85.txt -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc195.txt -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc383.txt -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc82.txt -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc63.txt -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc9.txt -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc5.txt -> TrackingCookie.Bluestreak : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc65.txt -> TrackingCookie.Casalemedia : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc517.txt -> TrackingCookie.Com : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc349.txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc37.txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc403.txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc435.txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc172.txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc388.txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc85.txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\WINDOWS\Temp\Cookies\stewart@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc99.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc200.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc448.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc86.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc16.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc185.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc70.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc116.txt -> TrackingCookie.Epilot : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc223.txt -> TrackingCookie.Epilot : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc428.txt -> TrackingCookie.Epilot : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc65.txt -> TrackingCookie.Euroclick : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc215.txt -> TrackingCookie.Euroclick : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc82.txt -> TrackingCookie.Falkag : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc84.txt -> TrackingCookie.Falkag : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc104.txt -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc121.txt -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc202.txt -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc205.txt -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc394.txt -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc403.txt -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc89.txt -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc96.txt -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc71.txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@c.goclick[1].txt -> TrackingCookie.Goclick : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc150.txt -> TrackingCookie.Liveperson : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc122.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc206.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc404.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc97.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc190.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc77.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc127.txt -> TrackingCookie.Newyorkcasino : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc88.txt -> TrackingCookie.Newyorkcasino : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc135.txt -> TrackingCookie.Overture : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc95.txt -> TrackingCookie.Overture : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc410.txt -> TrackingCookie.Overture : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc83.txt -> TrackingCookie.Overture : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc77.txt -> TrackingCookie.Pointroll : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc139.txt -> TrackingCookie.Qksrv : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc140.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc15.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc407.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc448.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc103.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc209.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc252.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc295.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc359.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc493.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc55.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc238.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc216.txt -> TrackingCookie.Reliablestats : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc301.txt -> TrackingCookie.Reliablestats : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc35.txt -> TrackingCookie.Reliablestats : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc89.txt -> TrackingCookie.Reliablestats : Cleaned.

...

C:\WINDOWS\system32\config\systemprofile\Cookies\system@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc145.txt -> TrackingCookie.Revenue : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc105.txt -> TrackingCookie.Revenue : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc414.txt -> TrackingCookie.Revenue : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc74.txt -> TrackingCookie.Searchingbooth : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc89.txt -> TrackingCookie.Searchingbooth : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc384.txt -> TrackingCookie.Searchingbooth : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc83.txt -> TrackingCookie.Searchingbooth : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc183.txt -> TrackingCookie.Searchingbooth : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\system@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc151.txt -> TrackingCookie.Serving-sys : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc17.txt -> TrackingCookie.Serving-sys : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc409.txt -> TrackingCookie.Serving-sys : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc451.txt -> TrackingCookie.Serving-sys : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc6.txt -> TrackingCookie.Serving-sys : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc215.txt -> TrackingCookie.Serving-sys : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc298.txt -> TrackingCookie.Serving-sys : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc362.txt -> TrackingCookie.Serving-sys : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc417.txt -> TrackingCookie.Serving-sys : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc478.txt -> TrackingCookie.Serving-sys : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc497.txt -> TrackingCookie.Serving-sys : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc10.txt -> TrackingCookie.Serving-sys : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc34.txt -> TrackingCookie.Serving-sys : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc109.txt -> TrackingCookie.Starware : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc169.txt -> TrackingCookie.Starware : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc158.txt -> TrackingCookie.Tacoda : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc80.txt -> TrackingCookie.Tacoda : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc159.txt -> TrackingCookie.Targetnet : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc108.txt -> TrackingCookie.Targetnet : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc217.txt -> TrackingCookie.Targetnet : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc421.txt -> TrackingCookie.Targetnet : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\system@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc165.txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc18.txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc109.txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc254.txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc331.txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc363.txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc498.txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc157.txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc244.txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc46.txt -> TrackingCookie.Trafficmp : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc167.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc453.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc219.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc332.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc455.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc53.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc245.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc90.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc157.txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc2.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc332.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc402.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc431.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc62.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc170.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc188.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc266.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc28.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc285.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc346.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc379.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc64.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc75.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc146.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc180.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc214.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc57.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc7.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc23.txt -> TrackingCookie.Zedo : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1003\Dc334.txt -> TrackingCookie.Zedo : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-1006\Dc444.txt -> TrackingCookie.Zedo : Cleaned.
C:\RECYCLER\S-1-5-21-73586283-789336058-839522115-500\Dc162.txt -> TrackingCookie.Zedo : Cleaned.
C:\WINDOWS\system32\bmffupsx.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dqpnbtgj.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\WINDOWS\system32\fplceqht.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\WINDOWS\system32\iywpmlpn.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\WINDOWS\system32\jxetbvbd.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\WINDOWS\system32\oilgnalr.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\WINDOWS\system32\okuqjfau.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\WINDOWS\system32\sudjankq.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ukaaeffb.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{210D51DF-0CC8-4629-AE7A-50A61C498B13}\RP40\A0035509.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\U3Rld2FydCBIb3Ju\oal5xZIVxF1KvaLR.vbs -> Trojan.Small : Cleaned with backup (quarantined).


::Report end

last one - the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 19:36:54, on 01/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\UPDATE_FILES\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {FDE1310D-204C-4EAB-9A25-95F40B71009D} - C:\WINDOWS\repair\natiibn.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O20 - Winlogon Notify: natiibn - C:\WINDOWS\repair\natiibn.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

hi


Please download VundoFix.exe to your desktop

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Thanks Illuka - didn't expect to hear from you over the weekend

VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 21:30:03 02/12/2006

Listing files found while scanning....

C:\WINDOWS\system32\awtqo.dll
C:\WINDOWS\system32\byxwt.dll
C:\WINDOWS\system32\cbaya.dll
C:\WINDOWS\system32\dtfucdcf.dll
C:\WINDOWS\system32\efcaw.dll
C:\WINDOWS\system32\efcbx.dll
C:\WINDOWS\system32\hxpdmoye.dll
C:\WINDOWS\system32\kiwclxah.dll
C:\WINDOWS\system32\mayufxod.dll
C:\WINDOWS\system32\mepdkrmf.dll
C:\WINDOWS\system32\mhdavqbe.dll
C:\WINDOWS\system32\nbublfjr.dll
C:\WINDOWS\system32\nnlkl.dll
C:\WINDOWS\system32\opnmj.dll
C:\WINDOWS\system32\opnnk.dll
C:\WINDOWS\system32\pkvoftsl.dll
C:\WINDOWS\system32\pmkki.dll
C:\WINDOWS\system32\pmnll.dll
C:\WINDOWS\system32\qopnn.dll
C:\WINDOWS\system32\qoppp.dll
C:\WINDOWS\system32\ssqqo.dll
C:\WINDOWS\system32\ssttt.dll
C:\WINDOWS\system32\uairdsbq.dll
C:\WINDOWS\system32\ursrp.dll
C:\WINDOWS\system32\wcudrcoj.dll
C:\WINDOWS\system32\wvwuv.dll
C:\WINDOWS\system32\xjwkvnug.dll
C:\WINDOWS\system32\xxyab.dll
C:\WINDOWS\system32\yabcy.dll
C:\WINDOWS\system32\yabxv.dll
C:\WINDOWS\repair\natiibn.dll
C:\WINDOWS\repair\nbiitan.ini
C:\WINDOWS\repair\nbiitan.bak1
C:\WINDOWS\repair\nbiitan.bak2
C:\WINDOWS\repair\nbiitan.ini2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awtqo.dll
C:\WINDOWS\system32\awtqo.dll Has been deleted!




Logfile of HijackThis v1.99.1
Scan saved at 21:40:44, on 02/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\UPDATE_FILES\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\wahgliam.dll
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: (no name) - {781E3C97-CD31-46C7-9AB4-76C860082482} - C:\WINDOWS\repair\natiibn.dll (file missing)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe



Attempting to delete C:\WINDOWS\system32\byxwt.dll
C:\WINDOWS\system32\byxwt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbaya.dll
C:\WINDOWS\system32\cbaya.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dtfucdcf.dll
C:\WINDOWS\system32\dtfucdcf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\efcaw.dll
C:\WINDOWS\system32\efcaw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\efcbx.dll
C:\WINDOWS\system32\efcbx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hxpdmoye.dll
C:\WINDOWS\system32\hxpdmoye.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kiwclxah.dll
C:\WINDOWS\system32\kiwclxah.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mayufxod.dll
C:\WINDOWS\system32\mayufxod.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mepdkrmf.dll
C:\WINDOWS\system32\mepdkrmf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mhdavqbe.dll
C:\WINDOWS\system32\mhdavqbe.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nbublfjr.dll
C:\WINDOWS\system32\nbublfjr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nnlkl.dll
C:\WINDOWS\system32\nnlkl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnmj.dll
C:\WINDOWS\system32\opnmj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnnk.dll
C:\WINDOWS\system32\opnnk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pkvoftsl.dll
C:\WINDOWS\system32\pkvoftsl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmkki.dll
C:\WINDOWS\system32\pmkki.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnll.dll
C:\WINDOWS\system32\pmnll.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qopnn.dll
C:\WINDOWS\system32\qopnn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qoppp.dll
C:\WINDOWS\system32\qoppp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqqo.dll
C:\WINDOWS\system32\ssqqo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssttt.dll
C:\WINDOWS\system32\ssttt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uairdsbq.dll
C:\WINDOWS\system32\uairdsbq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ursrp.dll
C:\WINDOWS\system32\ursrp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wcudrcoj.dll
C:\WINDOWS\system32\wcudrcoj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvwuv.dll
C:\WINDOWS\system32\wvwuv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xjwkvnug.dll
C:\WINDOWS\system32\xjwkvnug.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxyab.dll
C:\WINDOWS\system32\xxyab.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yabcy.dll
C:\WINDOWS\system32\yabcy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yabxv.dll
C:\WINDOWS\system32\yabxv.dll Has been deleted!

Attempting to delete C:\WINDOWS\repair\natiibn.dll
C:\WINDOWS\repair\natiibn.dll Has been deleted!

Attempting to delete C:\WINDOWS\repair\nbiitan.ini
C:\WINDOWS\repair\nbiitan.ini Has been deleted!

Attempting to delete C:\WINDOWS\repair\nbiitan.bak1
C:\WINDOWS\repair\nbiitan.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\repair\nbiitan.bak2
C:\WINDOWS\repair\nbiitan.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\repair\nbiitan.ini2
C:\WINDOWS\repair\nbiitan.ini2 Has been deleted!

Performing Repairs to the registry.
Done!



Logfile of HijackThis v1.99.1
Scan saved at 21:40:44, on 02/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\UPDATE_FILES\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\wahgliam.dll
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: (no name) - {781E3C97-CD31-46C7-9AB4-76C860082482} - C:\WINDOWS\repair\natiibn.dll (file missing)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

care to post a fresh hiajckthis log, the avg antispyware scan showed some very alarming results

uh-oh

If it's any help, when I open task manager there's always a "system idle process" which can use up to 90% of my processor. My pc has been a bit slower in the last couple of days. Is this to do with the AVG program?

S


Logfile of HijackThis v1.99.1
Scan saved at 23:13:26, on 03/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
D:\UPDATE_FILES\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\wahgliam.dll
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: (no name) - {781E3C97-CD31-46C7-9AB4-76C860082482} - C:\WINDOWS\repair\natiibn.dll (file missing)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

My pc has been a bit slower in the last couple of days. Is this to do with the AVG program?

Click to expand...

its because of the absolute s**tload of viruses and malware on your computer.
you seem to have a downloader agent awf infection. it causes irrepairable damage to your system. you may have to reinstall all of your programs, because it replaces those legit executables with copies of itself..

ok that alone would possibly be repairable, but the ewido scan revealed something more:
C:\Documents and Settings\Teresa\Local Settings\Temp\lbdihocx.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\Documents and Settings\Teresa\Local Settings\Temp\mfuvesqs.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\Documents and Settings\Teresa\Local Settings\Temp\nbfjvpmi.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
etc
that looks like its a keystroke logger, so i am strongly recommending you to do a complete format and reinstall of the system. another reason to do it is that you are severely behind on windows updates, your system is vulnerable to reinfection all the time..

a keystroke logger is a (malicious ) program that records everything typed on the machine. everything. this includes online passwords, such as bank logins, credit card numbers etc. this computer cannot be trusted anymore!



i recommend these actions:
1) Use a known secure computer to change all of your online passwords
2) Contact your bank and credit card company for possible unauthorised transactions

more info can be found here:



How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

some further reading:

Security Management - May 2004
Help: I Got Hacked. Now What Do I Do?
http://www.microsoft.com/technet/community...gmt/sm0504.mspx

Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
http://www.microsoft.com/technet/community...gmt/sm0704.mspx

and finally some more considerations:

When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063

if you choose to format and reinstall see this link for instructions:
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html

last wee bit of help please

Oh well, thanks. I appreciate all your efforts. I have done a reformat and reinstall before, but I still have the problem of having loads of documents - music and photos mainly - that I want to keep. Why can't I use an external hard drive to copy them all onto? Also, if I format the C drive and reinstall, will my D drive with all the data still be intact or is there a chance I'll lose everything?

When I turn on the external drive it comes up as an F drive on my computer but when I try to use it I get a message saying "F:\ is not accessible. The request could not be performed because of an I/O device error." It's plugged into a USB 2 port which works on my ipod. Is there something I can do rather than spend a whole day burning CDs?

thanks

S

broken cable ? try another port, or is there only on usb port ?
usb ports alone do not feed enough power to most harddisks, so the external power supply of the drive must be used
if you format your system drive, other drives will be left alone

Thanks

Once again, thank you for all your help.

best wishes

S

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

1. Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
   
   You can find instructions on how to enable and reenable system restore here:
   
   Managing Windows Millenium System Restore
   
   or
   
   Windows XP System Restore Guide
   
   Reenable system restore with instructions from tutorial above
   
   
2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
   1. From within Internet Explorer click on the Tools menu and then click on Options.
   2. Click once on the Security tab
   3. Click once on the Internet icon so it becomes highlighted.
   4. Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
        
      • Change the Download unsigned ActiveX controls to Disable
        
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
        
      • Change the Installation of desktop items to Prompt
        
      • Change the Launching programs and files in an IFRAME to Prompt
        
      • Change the Navigate sub-frames across different domains to Prompt
        
      • When all these settings have been made, click on the OK button.
        
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
   5. Next press the Apply button and then the OK to exit the Internet Properties page.
3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources
   
   
4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
   
   For a tutorial on Firewalls and a listing of some available ones see the link below:
   
   Understanding and Using Firewalls
   
   
6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
   
   A tutorial on installing & using this product can be found here:
   
   Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
   
   
8. Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
   
   A tutorial on installing & using this product can be found here:
   
   Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
   
   
9. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
   
   A tutorial on installing & using this product can be found here:
   
   Using SpywareBlaster to protect your computer from Spyware and Malware
   
   
10. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

• IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.
• Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

also remember to keep your java updated, see this topic for instructions

http://forums.spybot.info/showpost.php?p=12880&postcount=2