SurfSideKick; Windows Security Center disabled

[renegade]

've been having trouble with the windows security center problems in spybot. i scanned through a few threads but it didn't seem to help me because my computer DID have malware (SurfSideKick). in the last few days, but i've manually cleaned out all of Surf SideKick that i know-- and it hasn't shown up in the sweep when i run it. so this is my next problem-- i'm not sure whether it has to do with SurfSideKick, or if its something new:

when i run spybot all 7 of the security center alerts come up. however when i got to the control panel > security center, it says that my firewall is off. when i go to recommendations and select "enable now" it says something like "We're sorry, windows security center cannot turn on the firewalls. please try to turn them on yourself by...."

so i go back to the security center home and select "windows firewall", but heres where the problem occurs. the entire "general" tab is dimmed, so i cannot turn the firewall off.

lastly, when i go to my registry editor, to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center

there are the problems, the firewall.override, etc. etc.

i try to delete them, and they do delete, but then whenever i try to access the security center again, they pop back up in the registry editor.

lastly, sometimes random processes start running and slow down my computer-- taking up to 99% CPU. i'm not sure if this has anything to do with the same virus, but they definitely are not supposed to be running and when it happens i boot up the comp in safe mode and delete them manually (they refuse to end or delete while in normal mode)

i am at wits end on what to do... any help is greatly appreciated. thank you in advance =)

~Renegade

 

[tashi]

Hello.

Please follow the instructions for posting in the malware forum as I responded here:

http://forums.spybot.info/showpost.php?p=35137&postcount=41


Here is the link again:
BEFORE you post and who will advise you. Preliminary Steps

Two of your posts in other members malware topics were removed.

Thank you.

 

[renegade]

Logfile of HijackThis v1.99.1
Scan saved at 6:50:30 PM, on 7/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\taskib.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1134336251\ee\aolsoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\system32\cjnr4r4zskdwpi.exe
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\Wei Jia Ni\Desktop\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\system32\xeymi.dll (file missing)
O3 - Toolbar: (no name) - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134336251\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [keyboard] C:\\kybrdef_7.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\system32\ssn6tuu.exe"
O4 - HKLM\..\Run: [defender] C:\\dfndref_7.exe
O4 - HKLM\..\Run: [{0D-DB-BF-F4-ZN}] c:\windows\system32\dwdsregt.exe CORN003
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\system32\wfxqhv.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Documents and Settings\Wei Jia Ni\Desktop\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [spywarebot] C:\Documents and Settings\Wei Jia Ni\Desktop\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIMKatie\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIMKatie\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\ivxmontr.dll (file missing)
O20 - Winlogon Notify: SharedDlls - C:\WINDOWS\system32\kqdur.dll (file missing)
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\ExnClass.Dll (file missing)
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\apmlib.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Print Spooler Service (SpoolSvc203) - Unknown owner - C:\WINDOWS\system32\cjnr4r4zskdwpi.exe
O23 - Service: Network Station Task Manager (TSKIB) - Unknown owner - C:\WINDOWS\taskib.exe

 

[LonnyRJones]

Welcome renegade

Thanks for your patience, if your still in need of assistance and are not
recieving it at another forum, uninstall SpywareBot and quicklinks via addremove programs then Post a fresh hijackthis log please.

 

[renegade]

Logfile of HijackThis v1.99.1
Scan saved at 3:16:37 PM, on 8/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1134336251\ee\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIMKatie\aim.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\system32\winlogon.exe
C:\Documents and Settings\Wei Jia Ni\Desktop\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\system32\xeymi.dll (file missing)
O3 - Toolbar: (no name) - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134336251\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{0D-DB-BF-F4-ZN}] c:\windows\system32\dwdsregt.exe CORN003
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\system32\wfxqhv.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Documents and Settings\Wei Jia Ni\Desktop\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIMKatie\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIMKatie\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\ivxmontr.dll (file missing)
O20 - Winlogon Notify: SharedDlls - C:\WINDOWS\system32\kqdur.dll (file missing)
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\ExnClass.Dll (file missing)
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\apmlib.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Print Spooler Service (SpoolSvc203) - Unknown owner - C:\WINDOWS\system32\cjnr4r4ngyrk.exe (file missing)

is that right?

 

[LonnyRJones]

Open a command prompt (start run type cmd press enter) type
sc delete "SpoolSvc203"
press enter type
sc delete TSKIB
press enter, type exit and press enter to exit the command prompt

Start Hijackthis and place a check next to these items If there.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\system32\xeymi.dll (file missing)
O3 - Toolbar: (no name) - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)
O4 - HKLM\..\Run: [{0D-DB-BF-F4-ZN}] c:\windows\system32\dwdsregt.exe CORN003
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\system32\wfxqhv.exe"
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.

 

[renegade]

okay, i did everything up to the combofix. i downloaded combofix but it doesn't work properly. when i type "y" and hit enter, it gives me an error message like "possible rootkit interference. talk to a forum helper"

any suggestions?

 

[LonnyRJones]

Please download Look2Me-Destroyer.exe to your to the root drive, eg: Local Disk C: or partition where your operating system is installed.
http://www.atribune.org/content/view/28/
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 to five minute's. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Wait about Four minutes, Turn your computer back on.
Please post the contents of Look2Me-Destroyer.txx

Post a report from this tool if any FILES show
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
Important: If any files show Do not rename them YET.....legitimate files can be listed.

 

[AndyManchesta]

Hi Renegade

Lonny has asked me to post on this topic as there is a fixtool available for the rootkit infection that is present on your system,

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

• In Safe Mode, right click the SDFix.zip folder and choose Extract All,
• Open the extracted folder and double click RunThis.bat to start the script.
• It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
• Press any Key and it will count down from 15 Seconds and restart the PC.
• Your system will take longer that normal to restart as the fixtool will be running and removing files.
• When the desktop loads the Fixtool will display Finished, press any key to end the script and load your desktop icons.
• Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Let us know if you have any problems

Thanks

Andy

 

[renegade]

SDFix Report

SDFix Version 1.06
************************

Scan Time/Date:

03:51 PM
Thu 08/10/2006

Microsoft Windows XP [Version 5.1.2600]
Running from directory:
C:\Documents and Settings\-Katie-\Desktop\SDFix

Stage One...

Exporting Service Information:

Service Name
**************

Service File Path
*******************

Deleting Services
*******************


Repairing SDBot Registry Changes....

Adding Reg Key To Run On Reboot

Stage One Complete...

Rebooting!

Stage Two...

Removing Malware Files and Registry Entries
***********************************************

Registry Cleaning Finished...

Checking For Malware Files...
(If any are found they will be listed below)...

C:\WINDOWS\Temp\cjnr4r436B7FF94.tmp
Backing Up and Deleting any Files Listed....

Finished

 

[renegade]

Hijack This Report

Logfile of HijackThis v1.99.1
Scan saved at 3:54:04 PM, on 8/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\1134336251\ee\aolsoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIMKatie\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Wei Jia Ni\Desktop\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134336251\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Documents and Settings\Wei Jia Ni\Desktop\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [keyboard] C:\\kybrdef_7.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\system32\ssn6tuu.exe"
O4 - HKLM\..\Run: [defender] C:\\dfndref_7.exe
O4 - HKLM\..\Run: [{0D-DB-BF-F4-ZN}] c:\windows\system32\dwdsregt.exe CORN003
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\system32\wfxqhv.exe"
O4 - HKLM\..\Run: [spywarebot] C:\Documents and Settings\Wei Jia Ni\Desktop\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIMKatie\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIMKatie\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\ivxmontr.dll (file missing)
O20 - Winlogon Notify: SharedDlls - C:\WINDOWS\system32\kqdur.dll (file missing)
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\ExnClass.Dll (file missing)
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\apmlib.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

 

[AndyManchesta]

Hi Renegade

Thanks for the log, if there is a rootkit on your system it doesnt appear to be connected to the HackerDefender variant as the report is clear, with it showing the file in your running processes in your earlier log the rootkit component may not of installed correctly but it was worth making sure, the script should of repaired the problems you was having with the Security Center but let me know if Spybot is still finding problems, the infection has just been updated within the last hour or two but the script is still removing it so you may have something else on board which is interfering. Lets get things cleaned up abit then run a rootkit scan and take it from there.

Id recommend removing SpywareBot from the Add/Remove screen (Start Menu > Control Panel > Add or Remove Programs), It has no connection to Spybot Search and Destroy although it did use the name Search and Destroy on its website pages and search engines at one stage to trick novice users into thinking they were getting Spybot S&D, If you have payed for it then its up to you if you trust the company that makes it but if its free, Id suggest it be removed from your system.

Run Hijack This and choose Do A System Scan then place a check next to these entries

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = ht*p://www.mrfindalot.com/search.asp?si=
O4 - HKLM\..\Run: [keyboard] C:\\kybrdef_7.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\system32\ssn6tuu.exe"
O4 - HKLM\..\Run: [defender] C:\\dfndref_7.exe
O4 - HKLM\..\Run: [{0D-DB-BF-F4-ZN}] c:\windows\system32\dwdsregt.exe CORN003
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\system32\wfxqhv.exe"
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\ivxmontr.dll (file missing)
O20 - Winlogon Notify: SharedDlls - C:\WINDOWS\system32\kqdur.dll (file missing)
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\ExnClass.Dll (file missing)
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\apmlib.dll (file missing)

Close all open browser and other windows except for Hijack This and press the Fix Checked button

Download Killbox from Here

Click killbox.exe

Select the option "Delete on reboot".

Click the button: All Files (Important!)
Now it should flash green.

Next copy the contents of the code box to clipboard by left clicking and covering the text then right click inside the highlighted area and choose Copy:

C:\\kybrdef_7.exe
C:\WINDOWS\system32\ssn6tuu.exe
C:\\dfndref_7.exe
c:\windows\system32\dwdsregt.exe 
C:\WINDOWS\system32\xeymi.dll

After copying the above text to Clipboard click File on the killbox menu bar and choose Paste From Clipboard

Then press the Delete File button (Red Circle with a White X).
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.

Your computer should reboot now.

After reboot please complete the steps Lonny posted:

Please download Look2Me-Destroyer.exe to your desktop.

• Close all windows before continuing.
• Double-click Look2Me-Destroyer.exe to run it.
• Put a check next to Run this program as a task.
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
• When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
• Once it's done scanning, click the Remove L2M button.
• You will receive a Done Scanning message, click OK.
• When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
• Your computer will then shutdown.
• Turn your computer back on.
• Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

Then download Blacklight beta HERE and save it to your desktop.
Run the program, accept statement > click next then scan
When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file.

Please then post back the Look2me destroyer.txt, Blacklight's log if it finds any hidden files and a new HijackThis log.

Cheers

Andy

 

[renegade]

thank you for all your help so far =)

i no longer get Windows Security Center alerts from Spybot

however, i'm looking on my add/remove list, and SpywareBot isn't on there. only SpyBot...?

also, i did okay up to the Killbox step. i downloaded Killbox but when i tried to copy the code, Killbox only takes the first line of the copied text. i'm not sure exactly how to put in the other text so that it will work properly.

 

[AndyManchesta]

Hey Renegade

No Problem about the help, there's still alot left to check to help you get the PC clean again.

If SpywareBot isnt on the Add/Remove screen and you did want to remove it then fix this entry with HijackThis

Run Hijack This and choose Do A System Scan then place a check next to this entry

O4 - HKLM\..\Run: [spywarebot] C:\Documents and Settings\Wei Jia Ni\Desktop\SpywareBot\SpywareBot.exe -boot

Close all open browser and other windows except for Hijack This and press the Fix Checked button

Then delete the SpywareBot folder on the Desktop if it still exists.

For Killbox,

When you run the program and choose delete on reboot you then need to click the All Files button (it then flashes green), you can then copy the file list to clipboard by covering the text and right click and choose copy

C:\\kybrdef_7.exe
C:\WINDOWS\system32\ssn6tuu.exe
C:\\dfndref_7.exe
c:\windows\system32\dwdsregt.exe 
C:\WINDOWS\system32\xeymi.dll

Then click File on the killbox menu bar and choose Paste From Clipboard and it should then add all the files and you just need to press the delete button. Ive just tested it on myown system by creating files with the same names and it worked fine but if you have any problems with it then manually delete these files:

C:\\kybrdef_7.exe
C:\\dfndref_7.exe
C:\WINDOWS\system32\ssn6tuu.exe
c:\WINDOWS\system32\dwdsregt.exe
C:\WINDOWS\system32\xeymi.dll

If you need to remove them manually and have problems finding any then please set Windows to show hidden files and folders and check again to make sure they do not exist.

Click Start. Goto MyComputer then C:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended)" option.

Click Yes to confirm then OK

Set this back once you have removed the files by opening the same page and pressing the Restore Defaults button the click Apply and OK.

Let us know if you have any problems and post back the look2me destroyer and blacklight logs once they have been run.

Thanks

Andy

 

[renegade]

again, when i try to copy the Killbox code, it only pastes the first line (as there is only one form line in the killbox prompt). so i tried to put them all in separately using "single file" instead. however when it tried to shut down, the program hit me with an error message:

"PendingFileRenameOperations Registry Data has been Removed by External Process!"

BlackLight Beta did not find anything.

Here is the Look2Me log:


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 8/11/2006 12:56:03 PM


Attempting to delete infected files...

Making registry repairs.


Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{1D62C33B-48B4-4126-8E38-678C2147DFAC}"
HKCR\Clsid\{1D62C33B-48B4-4126-8E38-678C2147DFAC}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{AAAE9F4D-52B4-4EC2-8233-4CE2C81C8CAD}"
HKCR\Clsid\{AAAE9F4D-52B4-4EC2-8233-4CE2C81C8CAD}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{676CBB1A-D1FA-4D99-8F03-A498174DA0F6}"
HKCR\Clsid\{676CBB1A-D1FA-4D99-8F03-A498174DA0F6}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0BE1DEA3-8C95-44A6-834E-6FA27A8ED865}"
HKCR\Clsid\{0BE1DEA3-8C95-44A6-834E-6FA27A8ED865}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9EC0CCCB-A5F6-47A7-95A6-AEC2701A872D}"
HKCR\Clsid\{9EC0CCCB-A5F6-47A7-95A6-AEC2701A872D}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{E19F8941-02C7-44C5-BE60-410C62DE8B45}"
HKCR\Clsid\{E19F8941-02C7-44C5-BE60-410C62DE8B45}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{633A7BE0-EA03-4A7D-BDEE-44529817DE98}"
HKCR\Clsid\{633A7BE0-EA03-4A7D-BDEE-44529817DE98}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

 

[AndyManchesta]

Hi Renegade,

No Problem, just delete those files manually ,

There maybe still some malware issues which are causing problems with the tools so It's best we check your system in more detail and see if any problems show in the results.

Download Ewido Anti-Spyware

1. Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
2. After the update finishes (the status bar at the bottom will display "Update successful")
3. Click on the Scanner tab at the top and then click on Complete System Scan
4. Ewido will list any infections found on the left, when the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will then display "All actions have been applied" on the right.
5. Click on "Save Report" after Ewido has removed the entries, then click "Save Report As". This will create a text file which you can then save to the Desktop and post back

Next can you run the following batch file and post back the results.

Open Notepad (Start Menu > Run > Type notepad and press OK)

Copy and Paste the contents of the code box into Notepad

if exist Check.txt del /q Check.txt

echo. >> Check.txt
echo Uninstall List: >> Check.txt
echo. >> Check.txt
regedit /e List.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
FIND "DisplayName" < List.txt | find /v "QuietDisplayName" | find /v "ParentDisplayName" | find /v "ShowDisplayName" | find /v "WebFldrs XP" > List1.txt
for /f "tokens=2 delims==" %%a in (List1.txt) do echo %%~a >> Check.txt
echo. >> Check.txt
echo Policy Keys: >> Check.txt
echo. >> Check.txt
regedit /e Policy1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies"
regedit /e Policy2.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"
Type Policy*.txt >> Check.txt
del /q Policy*.txt 
del /q List*.txt
Notepad Check.txt

Goto File on the top bar and choose Save As, Change the Save As Type to All Files, Name it Check.bat then save it to your desktop

Double click Check.bat and it will export the information from the uninstall key and the policy keys and then open the information in notepad, please post the contents of that text file (Check.txt) back on the forum


Finally run Hijack This, Choose Open the Misc tools section, On the StartUp List area at the top, place a check next to List Also Minor Sections (full) and List Empty Sections (complete) then press Generate StartUp List Log and Yes at the prompt. Please post the text file that opens into your next reply.

Please then post back the Ewido report, the Check.bat export details and the StartupList (Post them in seperate replies if needed to make sure all the information is included)

Let us know if you have any problems

Andy

 

[renegade]

Startup List

StartupList report, 8/12/2006, 11:39:52 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Wei Jia Ni\Desktop\HJT\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Documents and Settings\-Katie-\Desktop\Anti-Virus Stuff\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\1134336251\ee\aolsoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\-Katie-\Desktop\Anti-Virus Stuff\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\AIMKatie\aim.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Wei Jia Ni\Desktop\HJT\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\-Katie-\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

VTTimer = VTTimer.exe
VTTrayp = VTtrayp.exe
SoundMan = SOUNDMAN.EXE
ShStatEXE = "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
McAfeeUpdaterUI = "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
Network Associates Error Reporting Service = "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
HostManager = C:\Program Files\Common Files\AOL\1134336251\ee\AOLHostManager.exe
ViewMgr = C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
UnlockerAssistant = "C:\Documents and Settings\Wei Jia Ni\Desktop\Unlocker\UnlockerAssistant.exe"
!ewido = "C:\Documents and Settings\-Katie-\Desktop\Anti-Virus Stuff\ewido anti-spyware 4.0\ewido.exe" /minimized

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

AIM = C:\Program Files\AIMKatie\aim.exe -cnetwait.odl

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\ssstars.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

MP Scheduled Scan.job
XoftSpySE.job

--------------------------------------------------

Enumerating Download Program Files:

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[Java Plug-in 1.5.0_06]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

[Java Plug-in 1.5.0_06]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD: \SystemRoot\System32\drivers\afd.sys (system)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD Processor Driver: system32\DRIVERS\AmdK8.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: system32\DRIVERS\arp1394.sys (manual start)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: system32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

 

[renegade]

Startup List Continued

Canon Camera Access Library 8: C:\Program Files\Canon\CAL\CALMAIN.exe (autostart)
CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Disk Driver: system32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
EntDrv51: \??\C:\WINDOWS\system32\drivers\EntDrv51.sys (manual start)
EPSON Printer Status Agent2: C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (autostart)
EPSON USB Storage Driver: system32\DRIVERS\epusbsto.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
ewido anti-spyware 4.0 driver: \??\C:\Documents and Settings\-Katie-\Desktop\Anti-Virus Stuff\ewido anti-spyware 4.0\guard.sys (system)
ewido anti-spyware 4.0 guard: C:\Documents and Settings\-Katie-\Desktop\Anti-Virus Stuff\ewido anti-spyware 4.0\guard.exe (autostart)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)
VIA Rhine-Family Fast Ethernet Adapter Driver Service: system32\DRIVERS\fetnd5bv.sys (manual start)
VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver: system32\DRIVERS\fetnd5.sys (manual start)
VIA Rhine Family Fast Ethernet Adapter Driver Service: system32\DRIVERS\fetnd5b.sys (manual start)
FltMgr: system32\DRIVERS\fltMgr.sys (system)
Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
Microsoft Generic AGPv3.0 Filter for K8 Processor Platforms: system32\DRIVERS\gagp30kx.sys (system)
GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)
IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start)
IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: system32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
McAfee Framework Service: C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart (autostart)
Network Associates McShield: "C:\Program Files\Network Associates\VirusScan\Mcshield.exe" (autostart)
Network Associates Task Manager: "C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe" (autostart)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (manual start)
Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: system32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
NaiAvFilter1: system32\drivers\naiavf5x.sys (manual start)
NaiAvTdi1: system32\drivers\mvstdi5x.sys (system)
Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: system32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: system32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Upper Class Filter Driver: system32\DRIVERS\NTIDrvr.sys (manual start)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
NTSIM: \??\C:\WINDOWS\system32\ntsim.sys (manual start)
IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)
VIA OHCI Compliant IEEE 1394 Host Controller: system32\DRIVERS\ohci1394.sys (system)
Parallel port driver: system32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: system32\DRIVERS\pci.sys (system)
PCIIde: system32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
802.11a/g USB Driver: system32\DRIVERS\WUSB20XP.sys (manual start)
Processor Driver: system32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: system32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: system32\DRIVERS\raspti.sys (manual start)
Rdbss: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: system32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start)
Serial port driver: system32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Sony USB Filter Driver (SONYPVU1): system32\DRIVERS\SONYPVU1.SYS (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: system32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Srv: system32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{9310F0C6-FAB2-47F8-817E-B22F867DFB99} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: system32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver: system32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: system32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: system32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: system32\DRIVERS\usbuhci.sys (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
viagfx: system32\DRIVERS\vtmini.sys (manual start)
ViaIde: system32\DRIVERS\viaide.sys (system)
viamraid: system32\DRIVERS\viamraid.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Windows Defender Service: "C:\Program Files\Windows Defender\MsMpEng.exe" (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: *Registry key not found*
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 33,217 bytes
Report generated in 0.078 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

[renegade]

Check.txt

Uninstall List:

S3GSetup
Adobe Shockwave Player
Adobe Download Manager 2.0 (Remove Only)
AOL Explorer
AOL Instant Messenger
AOL Uninstaller (Choose which Products to Remove)
ewido anti-spyware 4.0
Film Factory
Quicklinks
HijackThis 1.99.1
Canon Utilities PhotoStitch 3.1
Canon Camera Window DSLR 5 for ZoomBrowser EX
NTI DVD-Maker
VIA Platform Device Manager
Canon PowerShot S45 WIA Driver
NTI DriveBackup! 4
NTI Backup NOW! 4
iPod for Windows 2006-01-10
Canon RAW Image Task for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
iTunes
Canon Camera Window MC 6 for ZoomBrowser EX
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Utilities RemoteCapture 2.7
QuickTime
Canon Utilities File Viewer Utility 1.2
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Security Update for Windows XP (KB890046)
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Windows Installer 3.1 (KB893803)
Update for Windows XP (KB894391)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Update for Windows XP (KB898461)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Update for Windows XP (KB900485)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Update for Windows XP (KB916595)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
LimeWire 4.12.4
Mozilla Firefox (1.5)
Canon PhotoRecord
Macromedia Flash Player 8
Spybot - Search & Destroy 1.4
VIA/S3G Display Driver
Viewpoint Manager (Remove Only)
Viewpoint Media Player
VIA Rhine-Family Fast Ethernet Adapter
Windows Genuine Advantage Validation Tool
Windows Genuine Advantage Notifications (KB905474)
Windows Media Format Runtime
Windows Media Player 10
The GIMP 2.2.12
GTK+ 2.8.18-1 runtime environment
Microsoft Office 2000 SR-1 Premium
Microsoft Office 2000 Disc 2
PhotoStitch
Camera Window DS
NTI DVD-Maker
Platform
Google Talk (remove only)
Ad-Aware SE Plus
Canon Camera WIA Driver
S3GSetup
NTI DriveBackup! 4
J2SE Runtime Environment 5.0 Update 6
NTI Backup NOW! 4
iPod for Windows 2006-01-10
RAW Image Task
Adober Photoshopr Album Starter Edition 3.0
MovieEdit Task
Camera Window DVC
iTunes
McAfee VirusScan Enterprise
Windows Genuine Advantage v1.3.0254.0
PowerDVD
Camera Window MC
Camera Access Library
Camera Support Core Library
Camera Window DVC
Windows Defender Signatures
Adobe Reader 7.0.5
Windows Defender
RemoteCapture 2.7.0
Athlon 64 Processor Driver
Canon ZoomBrowser EX (E)
QuickTime
File Viewer Utility 1.2
Realtek AC'97 Audio

Policy Keys:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"ScanWithAntiVirus"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID]
"{17492023-C23A-453E-A040-C7C580BBF700}"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000

 

[renegade]

Ewido Report

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:35:33 AM 8/12/2006

+ Scan result:



D:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup (quarantined).
C:\WINDOWS\cbtdtkxd.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\3636GVY6\bbqa[1].cab/cvn0.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-1004336348-839522115-500\Dc22.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\3636GVY6\bbqa[1].cab/wfxqhv.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\3636GVY6\bbqa[1].cab/zqskw.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-1004336348-839522115-500\Dc18.dll -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-1004336348-839522115-500\Dc19.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-1004336348-839522115-500\Dc20.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-1004336348-839522115-500\Dc21.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\3636GVY6\venus[1].tar -> Downloader.Adload.db : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-1004336348-839522115-1005\Dc2.exe -> Downloader.Adload.db : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-1004336348-839522115-500\Dc25.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\lt.exe -> Downloader.Small.ajc : Cleaned with backup (quarantined).
:mozilla.126:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\qahktnsp.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.192:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vwae2nns.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.193:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vwae2nns.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.196:C:\Documents and Settings\-Katie-\Application Data\Mozilla\Firefox\Profiles\x80n17qd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.197:C:\Documents and Settings\-Katie-\Application Data\Mozilla\Firefox\Profiles\x80n17qd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.198:C:\Documents and Settings\-Katie-\Application Data\Mozilla\Firefox\Profiles\x80n17qd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.199:C:\Documents and Settings\-Katie-\Application Data\Mozilla\Firefox\Profiles\x80n17qd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.200:C:\Documents and Settings\-Katie-\Application Data\Mozilla\Firefox\Profiles\x80n17qd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.417:C:\Documents and Settings\-Katie-\Application Data\Mozilla\Firefox\Profiles\x80n17qd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.41:C:\Documents and Settings\Wei Jia Ni\Application Data\Mozilla\Firefox\Profiles\m2ygovnx.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.69:C:\Documents and Settings\Katie.WEIJIA-PC\Application Data\Mozilla\Firefox\Profiles\0558k74l.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.70:C:\Documents and Settings\Katie.WEIJIA-PC\Application Data\Mozilla\Firefox\Profiles\0558k74l.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.81:C:\Documents and Settings\Dandan.WEIJIA-PC\Application Data\Mozilla\Firefox\Profiles\4aidahot.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.82:C:\Documents and Settings\Dandan.WEIJIA-PC\Application Data\Mozilla\Firefox\Profiles\4aidahot.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\-Katie-\Cookies\-katie-@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\-Katie-\Cookies\-katie-@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\-Katie-\Cookies\-katie-@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Wei Jia Ni\Cookies\wei jia ni@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.127:C:\Documents and Settings\-Katie-\Application Data\Mozilla\Firefox\Profiles\x80n17qd.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.128:C:\Documents and Settings\-Katie-\Application Data\Mozilla\Firefox\Profiles\x80n17qd.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.129:C:\Documents and Settings\-Katie-\Application Data\Mozilla\Firefox\Profiles\x80n17qd.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.170:C:\Documents and Settings\-Katie-\Application Data\Mozilla\Firefox\Profiles\x80n17qd.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.171:C:\Documents and Settings\-Katie-\Application Data\Mozilla\Firefox\Profiles\x80n17qd.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.113:C:\Documents and Settings\Wei Jia Ni\Application Data\Mozilla\Firefox\Profiles\m2ygovnx.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.114:C:\Documents and Settings\Wei Jia Ni\Application Data\Mozilla\Firefox\Profiles\m2ygovnx.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.115:C:\Documents and Settings\Wei Jia Ni\Application Data\Mozilla\Firefox\Profiles\m2ygovnx.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.96:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vwae2nns.default\cookies.txt -> TrackingCookie.Adorigin : Cleaned.
:mozilla.97:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vwae2nns.default\cookies.txt -> TrackingCookie.Adorigin : Cleaned.
:mozilla.98:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vwae2nns.default\cookies.txt -> TrackingCookie.Adorigin : Cleaned.
:mozilla.99:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vwae2nns.default\cookies.txt -> TrackingCookie.Adorigin : Cleaned.
:mozilla.139:C:\Documents and Settings\Katie.WEIJIA-PC\Application Data\Mozilla\Firefox\Profiles\0558k74l.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.140:C:\Documents and Settings\Katie.WEIJIA-PC\Application Data\Mozilla\Firefox\Profiles\0558k74l.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.141:C:\Documents and Settings\Katie.WEIJIA-PC\Application Data\Mozilla\Firefox\Profiles\0558k74l.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.177:C:\Documents and Settings\-Katie-\Application Data\Mozilla\Firefox\Profiles\x80n17qd.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.178:C:\Documents and Settings\-Katie-\Application Data\Mozilla\Firefox\Profiles\x80n17qd.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.179:C:\Documents and Settings\-Katie-\Application Data\Mozilla\Firefox\Profiles\x80n17qd.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.188:C:\Documents and Settings\-Katie-\Application Data\Mozilla\Firefox\Profiles\x80n17qd.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.189:C:\Documents and Settings\-Katie-\Application Data\Mozilla\Firefox\Profiles\x80n17qd.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.190:C:\Documents and Settings\-Katie-\Application Data\Mozilla\Firefox\Profiles\x80n17qd.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.76:C:\Documents and Settings\Katie.WEIJIA-PC\Application Data\Mozilla\Firefox\Profiles\0558k74l.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.102:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\qahktnsp.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.103:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\qahktnsp.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.104:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\qahktnsp.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.122:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vwae2nns.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.123:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vwae2nns.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.124:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vwae2nns.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.125:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vwae2nns.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.126:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vwae2nns.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.127:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vwae2nns.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.128:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vwae2nns.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.309:C:\Documents and Settings\-Katie-\Application Data\Mozilla\Firefox\Profiles\x80n17qd.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.310:C:\Documents and Settings\-Katie-\Application Data\Mozilla\Firefox\Profiles\x80n17qd.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.95:C:\Documents and Settings\Wei Jia Ni\Application Data\Mozilla\Firefox\Profiles\m2ygovnx.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.96:C:\Documents and Settings\Wei Jia Ni\Application Data\Mozilla\Firefox\Profiles\m2ygovnx.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.23:C:\Documents and Settings\-Katie-\Application Data\Mozilla\Firefox\Profiles\x80n17qd.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.24:C:\Documents and Settings\-Katie-\Application Data\Mozilla\Firefox\Profiles\x80n17qd.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.25:C:\Documents and Settings\-Katie-\Application Data\Mozilla\Firefox\Profiles\x80n17qd.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.26:C:\Documents and Settings\-Katie-\Application Data\Mozilla\Firefox\Profiles\x80n17qd.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.27:C:\Documents and Settings\-Katie-\Application Data\Mozilla\Firefox\Profiles\x80n17qd.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.30:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\qahktnsp.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.31:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\qahktnsp.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.32:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vwae2nns.default\cookies.txt ->