Help!

Something Rotten In Denmark

  
  
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> HijackThis Logs RSS
Next:  Opinions Pinnacle Studio 500 With Pinnacle Studio..  
Author Message
albo



Joined: Apr 16, 2006
Posts: 4
PostPosted: Sun Apr 16, 2006 10:18 pm    Post subject:
So I was hit quite suddenly with a torrent of pop ups and mysterious files popping up all over my computer yesterday morning. I've spent all the time since running Spy Sweeper and RegRun and hunting down fixes for specific problems on the internet. Things are much better now, but I still have some traces of problems and I'm afraid if I don't nip it in the bud now then those traces will blossom into something more.

The main symptoms now are:

1) My computer's Startup list includes items called "bxnsw.exe" and "jpbrqs.exe reg_run". I'm pretty sure the filenames are random, and they return when I remove them from the list. The executables themselves I cannot find in Explorer (with hidden files viewable).

2) Spy Sweeper is constantly reporting that it's blocking access to "dl.web-nexus.net"

Anyway... I've seen how ya'll have helped so many other people so I was hoping you could help me. I really appreciate it. Here's my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:37:01 PM, on 4/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\WINDOWS\csrss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\unklefatty\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\aysvq.exe
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,kuyabxm.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\windows\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200601...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/18428c2ffa3c0d...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136826323562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136826319500
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...667/mcfscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15009/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6CB573EE-E1B1-40DE-A437-54A83CAD3FBC}: NameServer = 24.29.99.18,24.29.99.21
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: Windows Security Drivers (csrs) - Unknown owner - C:\WINDOWS\csrss.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
Back to top
greyknight17



Joined: Feb 03, 2003
Posts: 5674

Location: Brooklyn, NY
PostPosted: Mon Apr 17, 2006 1:30 am    Post subject:
Welcome to Lockergnome.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you might get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on start update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net/en/download/updates/ to update manually.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode (if you don't know how, go to http://www.bleepingcomputer.com/forums/ind...showtutorial=61 ).

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you check the last one:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\aysvq.exe
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,kuyabxm.exe
O23 - Service: Windows Security Drivers (csrs) - Unknown owner - C:\WINDOWS\csrss.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

sc stop csrs
sc delete csrs
del delete.bat

Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.

Locate and delete the following:

C:\WINDOWS\system32\aysvq.exe
c:\windows\system32\kuyabxm.exe
C:\WINDOWS\csrss.exe - delete it in the WINDOWS folder ONLY
C:\Program Files\Network Monitor\

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Run Ewido now:
* Click on scanner and then Settings. Under 'What to scan' select 'Scan every file' and hit OK.
* Click on 'Complete System Scan' and the scan will begin.
* While the scan is in progress you will be prompted to clean the first infected file it finds. Choose 'Remove', then put a check next to 'Perform action with all infections' in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.
* Once the scan has completed, there will be a button located on the bottom of the screen named 'Save report'.
* Click 'Save report'. Save it to your desktop.

Restart your computer to get back to Normal Mode. Post the Ewido report and a new HijackThis log here. Also give me this log:

Download FindQool http://downloads.subratam.org/Lon/FindQool.zip
* Extract the files and place the FindQool folder in root. Usually C:\
* Open the folder and run Qlocate.bat.
* Post the contents of the txt.log which will open.
Back to top
AIM Address Yahoo Messenger
albo



Joined: Apr 16, 2006
Posts: 4
PostPosted: Mon Apr 17, 2006 1:08 pm    Post subject:
Thanks for the help. I ran all the tests and here are the reports:

Ewido:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:18:32 PM, 4/17/2006
+ Report-Checksum: C9AC7287

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6001CDF7-6F45-471b-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Netstat -> Adware.Ezula : Cleaned with backup
HKU\.DEFAULT\Software\DNS -> Adware.Shorty : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6001CDF7-6F45-471B-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-57989841-879983540-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6001CDF7-6F45-471B-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-18\Software\DNS -> Adware.Shorty : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6001CDF7-6F45-471B-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup
[1524] C:\WINDOWS\system32\pwbribx.dll -> Downloader.Qoologic.bj : Cleaned with backup
:mozilla.11:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.12:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.13:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.14:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.16:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.40:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.79:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.89:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.90:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.91:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.111:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.112:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.113:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.114:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.115:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.116:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.117:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.118:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.119:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.120:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.121:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.122:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.123:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.124:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.125:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.126:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.127:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.128:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.129:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.130:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.131:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.132:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.133:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.134:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.135:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.136:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.137:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.138:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.139:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.140:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.141:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.142:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.143:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.150:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.152:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.153:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.154:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.155:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.156:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.157:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.158:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.159:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.160:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.161:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.162:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.163:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.164:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.165:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.166:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.168:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.169:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.170:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.171:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.172:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.193:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.194:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.195:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.196:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.200:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup
:mozilla.201:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup
:mozilla.202:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup
:mozilla.203:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup
:mozilla.221:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
:mozilla.222:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
:mozilla.223:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.262:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.263:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.267:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Cqcounter : Cleaned with backup
:mozilla.283:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.285:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.286:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.287:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.288:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.289:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.290:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.308:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.321:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.340:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.341:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.342:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.343:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.383:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Coremetrics : Cleaned with backup
:mozilla.399:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.400:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.401:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.405:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.408:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.431:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.432:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.433:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.434:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.435:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.440:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.441:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.442:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.446:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.447:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.472:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.487:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Linksynergy : Cleaned with backup
:mozilla.488:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Linksynergy : Cleaned with backup
:mozilla.511:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.525:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.527:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.537:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.541:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.545:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.546:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.547:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.560:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.561:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.577:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.578:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.588:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.589:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.591:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.600:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.601:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.602:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.603:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.606:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.615:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.621:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.637:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.674:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Bfast : Cleaned with backup
:mozilla.725:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.740:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.756:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.765:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.788:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.789:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.790:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.792:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.793:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.813:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Coremetrics : Cleaned with backup
:mozilla.818:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.823:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.829:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.830:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.842:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
:mozilla.843:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
:mozilla.844:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
:mozilla.845:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
:mozilla.854:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.855:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.866:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.881:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.887:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.895:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Ivwbox : Cleaned with backup
:mozilla.897:C:\Documents and Settings\unklefatty\Application Data\Mozilla\Firefox\Profiles\vlg4f6qr.Default User\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
C:\Documents and Settings\unklefatty\Desktop\backups\backup-20060416-210708-915.dll -> Adware.Mirar : Cleaned with backup
C:\Documents and Settings\unklefatty\Desktop\backups\backup-20060416-211756-616.dll -> Adware.SafeSurfing : Cleaned with backup
C:\Documents and Settings\unklefatty\Desktop\backups\backup-20060416-211756-753.dll -> Adware.PurityScan : Cleaned with backup
C:\Documents and Settings\unklefatty\My Documents\RegRun2\quarantine\NETMON.EXE -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup
C:\Program Files\Access_Control\instant access.exe -> Trojan.P2E.br : Cleaned with backup
C:\Program Files\Common Files\Windows\mc-110-12-0000169.exe -> Dropper.Agent.aac : Cleaned with backup
C:\Program Files\Common Files\Windows\services32.exe -> Adware.Maxifiles : Cleaned with backup
C:\Program Files\Common Files\Τаsks\wuauboot.exe -> Downloader.PurityScan.w : Cleaned with backup
C:\Program Files\Network\ipnetwork.exe -> Adware.Maxifiles : Cleaned with backup
C:\WINDOWS\ac2_0009.exe -> Downloader.Small.cpu : Cleaned with backup
C:\WINDOWS\DH.dll -> Hijacker.Small.jf : Cleaned with backup
C:\WINDOWS\DH.dll_ -> Hijacker.Small.jf : Cleaned with backup
C:\WINDOWS\dW5rbGVmYXR0eQ\asappsrv.dll -> Adware.CommAd : Cleaned with backup
C:\WINDOWS\keyboard11.exe -> Backdoor.VB.ary : Cleaned with backup
C:\WINDOWS\lxabiiq.exe -> Hijacker.VB.ij : Cleaned with backup
C:\WINDOWS\lxabiiqA.exe -> Hijacker.VB.ij : Cleaned with backup
C:\WINDOWS\mousepad11.exe -> Hijacker.VB.mo : Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\newname11.exe -> Downloader.Adload.ae : Cleaned with backup
C:\WINDOWS\pss\bxnsw.exeCommon Startup -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINDOWS\SYSC00.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\system32\Anh4V.exe -> Backdoor.VB.nb : Cleaned with backup
C:\WINDOWS\system32\Cio9fQ88.exe -> Backdoor.VB.nb : Cleaned with backup
C:\WINDOWS\system32\Dddun.exe -> Backdoor.VB.nb : Cleaned with backup
C:\WINDOWS\system32\dmonwv.dll -> Downloader.Agent.agw : Cleaned with backup
C:\WINDOWS\system32\in10b6s.dll -> Adware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\iniwin32.dll -> Adware.E2Give : Cleaned with backup
C:\WINDOWS\system32\irismon.dll -> Adware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\irssyncd.exe -> Adware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\Kpu5hoZ.exe -> Backdoor.VB.nb : Cleaned with backup
C:\WINDOWS\system32\nsq2B.dll -> Adware.EZula : Cleaned with backup
C:\WINDOWS\system32\NurbZ.exe -> Backdoor.VB.nb : Cleaned with backup
C:\WINDOWS\system32\onquc.dat -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINDOWS\system32\syscpy.exe -> Proxy.Agent.d : Cleaned with backup
C:\WINDOWS\system32\syscpy1.exe -> Proxy.Agent.d : Cleaned with backup
C:\WINDOWS\system32\TafqX5mo.exe -> Backdoor.VB.nb : Cleaned with backup
C:\WINDOWS\system32\Ttb0.exe -> Backdoor.VB.nb : Cleaned with backup
C:\WINDOWS\system32\w0012584.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w0019f48.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\WjmRj.exe -> Backdoor.VB.nb : Cleaned with backup
C:\WINDOWS\system32\Yly4.exe -> Backdoor.VB.nb : Cleaned with backup
C:\WINDOWS\unin101.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\unwn.exe -> Trojan.Qoologic : Cleaned with backup
C:\WINDOWS\win320890-9907962.exe -> Adware.Enbrow : Cleaned with backup


::Report End

HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 1:20:41 PM, on 4/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\AvidSDMService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
C:\Documents and Settings\unklefatty\Desktop\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\aysvq.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,kuyabxm.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\windows\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200601...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/18428c2ffa3c0d...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136826323562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136826319500
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...667/mcfscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15009/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6CB573EE-E1B1-40DE-A437-54A83CAD3FBC}: NameServer = 24.29.99.18,24.29.99.21
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

FindQool:

Mon 04/17/2006
Running from: C:\FindQool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.

Known file names

MD5 Check....
C:\WINDOWS\system32\onquc.dat
C:\WINDOWS\system32\jpbrqs.exe
C:\WINDOWS\system32\aysvq.exe
C:\WINDOWS\system32\pwbribx.dll
C:\WINDOWS\system32\kuyabxm.exe

Files found with locate com.
C:\WINDOWS\SYSTEM32\KUYABXM.EXE
C:\WINDOWS\SYSTEM32\PWBRIBX.DLL
C:\WINDOWS\SYSTEM32\ONQUC.DAT
C:\WINDOWS\SYSTEM32\JPBRQS.EXE
C:\WINDOWS\SYSTEM32\AYSVQ.EXE
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\BXNSW.EXE
Re-check using dir /a:-d
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
04/16/2006 05:10 PM 127,488 bxnsw.exe
...

HKEY_LOCAL_MACHINE\software\classes\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}

...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
"ihfjqq"="C:\\WINDOWS\\system32\\jpbrqs.exe reg_run"
HKCU
"femkr"="C:\\WINDOWS\\system32\\jpbrqs.exe reg_run"
...

Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
shell REG_SZ Explorer.exe, C:\WINDOWS\system32\aysvq.exe
userinit REG_SZ C:\WINDOWS\SYSTEM32\Userinit.exe,kuyabxm.exe
...
SWReg utility
Written by Bobbi Flekman © 2005
Findqool edited 4/05/2006


[/b]
Back to top
greyknight17



Joined: Feb 03, 2003
Posts: 5674

Location: Brooklyn, NY
PostPosted: Mon Apr 17, 2006 2:11 pm    Post subject:
Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4
[-HKEY_LOCAL_MACHINE\software\classes\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ihfjqq"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"femkr"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit"="C:\\WINDOWS\\system32\\userinit.exe,"
"Shell"="Explorer.exe"

Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Right click and copy the below lines. Go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\WINDOWS\system32\onquc.dat
C:\WINDOWS\system32\jpbrqs.exe
C:\WINDOWS\system32\aysvq.exe
C:\WINDOWS\system32\pwbribx.dll
C:\WINDOWS\system32\kuyabxm.exe
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\BXNSW.EXE

If you get a PendingOperations message, just close it and restart your computer manually.

Restart and give me a new FindQool and HijackThis log.
Back to top
AIM Address Yahoo Messenger
albo



Joined: Apr 16, 2006
Posts: 4
PostPosted: Mon Apr 17, 2006 2:43 pm    Post subject:
Those little bastards are still in there.

FindQool:

Mon 04/17/2006
Running from: C:\FindQool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.

Known file names

MD5 Check....

Files found with locate com.
Re-check using dir /a:-d
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
...


...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
"ihfjqq"="C:\\WINDOWS\\system32\\jpbrqs.exe reg_run"
HKCU
"femkr"="C:\\WINDOWS\\system32\\jpbrqs.exe reg_run"
...

Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
shell REG_SZ explorer.exe
userinit REG_SZ C:\WINDOWS\SYSTEM32\Userinit.exe,
...
SWReg utility
Written by Bobbi Flekman © 2005
Findqool edited 4/05/2006


HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 2:57:06 PM, on 4/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\AvidSDMService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Documents and Settings\unklefatty\Desktop\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\aysvq.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,kuyabxm.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ihfjqq] C:\WINDOWS\system32\jpbrqs.exe reg_run
O4 - HKCU\..\Run: [femkr] C:\WINDOWS\system32\jpbrqs.exe reg_run
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\windows\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200601...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/18428c2ffa3c0d...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136826323562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136826319500
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...667/mcfscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15009/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6CB573EE-E1B1-40DE-A437-54A83CAD3FBC}: NameServer = 24.29.99.18,24.29.99.21
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
Back to top
greyknight17



Joined: Feb 03, 2003
Posts: 5674

Location: Brooklyn, NY
PostPosted: Mon Apr 17, 2006 9:06 pm    Post subject:
Please watch your language there...

Please print the below instructions or copy them to Notepad.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit"="C:\\WINDOWS\\system32\\userinit.exe,"
"Shell"="Explorer.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ihfjqq"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"femkr"=-

Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\aysvq.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,kuyabxm.exe
O4 - HKLM\..\Run: [ihfjqq] C:\WINDOWS\system32\jpbrqs.exe reg_run
O4 - HKCU\..\Run: [femkr] C:\WINDOWS\system32\jpbrqs.exe reg_run

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Right click and copy the below lines. Go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\WINDOWS\system32\aysvq.exe
C:\WINDOWS\system32\kuyabxm.exe
C:\WINDOWS\system32\jpbrqs.exe

If you get a PendingOperations message, just close it and restart your computer manually.

Restart and run a new HijackThis scan. Save the log file and post it here. Also give us the new FindQool log.
Back to top
AIM Address Yahoo Messenger
albo



Joined: Apr 16, 2006
Posts: 4
PostPosted: Mon Apr 17, 2006 10:16 pm    Post subject:
Sorry for the "B" word.

Did as I was told, everything looks clean to my very untrained eyes. Please tell me it is!

Also, what (free) programs would you recommend to keep this from happening again? Is running ewido every once and awhile a good idea?

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 10:28:38 PM, on 4/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\AvidSDMService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Documents and Settings\unklefatty\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\windows\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200601...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/18428c2ffa3c0d...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136826323562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136826319500
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...667/mcfscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15009/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6CB573EE-E1B1-40DE-A437-54A83CAD3FBC}: NameServer = 24.29.99.18,24.29.99.21
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

FindQool:

Mon 04/17/2006
Running from: C:\FindQool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.

Known file names

MD5 Check....

Files found with locate com.
Re-check using dir /a:-d
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
...


...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
HKCU
...

Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
shell REG_SZ Explorer.exe
userinit REG_SZ C:\WINDOWS\system32\userinit.exe,
...
SWReg utility
Written by Bobbi Flekman © 2005
Findqool edited 4/05/2006
Back to top
greyknight17



Joined: Feb 03, 2003
Posts: 5674

Location: Brooklyn, NY
PostPosted: Tue Apr 18, 2006 9:22 pm    Post subject:
Yes, you may run Ewido once in a way if you wish. It doesn't take that much resources to run the scan anyway and should finish the scanning in about an hour (give or take).

Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Topic closed since issue is resolved.
Back to top
AIM Address Yahoo Messenger
Display posts from previous:   
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> HijackThis Logs All times are: Eastern Time (US & Canada) (change)
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum