Computer Hope
Software => Computer viruses and spyware => Virus and spyware removal => Topic started by: nyjester on August 26, 2010, 02:56:29 PM
-
I have a similar issue as post http://www.computerhope.com/forum/index.php/topic,107468.msg724951.html#msg724951.
I am running Windows XP with four accounts and only one of them along with the administrator account appear to be infected. Every time is try to launch a program I get the message "Application cannot be executed. The file *** is infected. It then asks me if I want to remove the infected files and when I say yes it launches what appears to be a bogus Anti-virus scan and eventually takes me to a screen where I can choose different anti-virus software packages. It also prompts for credit card information !!
I have McAfee running and it flags one file as being infected, but indicates that my system is clean. This program is a nightmare. Please help.
-
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
Save Rkill to your desktop.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
* Rkill.exe (http://download.bleepingcomputer.com/grinler/rkill.exe)
* Rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com)
* Rkill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
* Rkill.pif (http://download.bleepingcomputer.com/grinler/rkill.pif)
Once you've gotten one of them to run then try to immediately run the following.
*****************************************************
SUPERAntiSpyware
If you already have SUPERAntiSpyware be sure to check for updates before scanning!
Download SuperAntispyware Free Edition (SAS) (http://www.superantispyware.com/download.html)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.
•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:
•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked
•Click the Close button to leave the control center screen.
* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes
•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.
•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...
* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
********************************************
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Please download Malwarebytes Anti-Malware from here (http://www.malwarebytes.org/mbam/program/mbam-setup.exe).
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Full Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
- Please save the log to a location you will remember.
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy and paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
*********************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.
Link 1 (http://screen317.spywareinfoforum.org/SecurityCheck.exe)
Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
********************************************
-
Hi
I tried running all four and have received the following error running the first three:
"pev.rkexe has encountered a problem and needs to close. We are sorry for the inconvenience."
For the.pif file I receive a 404 error.
-
Can you run the scans in one of the accounts that are not infected?
-
Actually it looks like it has worked i am able to login to the infected account and as admin and I no longer get the error msg. I can run all programs. I have gone onto the next step
SUPERAntiSpyware and have run this and will be posting the logs
Thanks
-
Here is the log from SUPERAntiSpyware
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 08/28/2010 at 06:45 PM
Application Version : 4.42.1000
Core Rules Database Version : 5424
Trace Rules Database Version: 3236
Scan type : Complete Scan
Total Scan Time : 03:15:55
Memory items scanned : 802
Memory threats detected : 0
Registry items scanned : 8330
Registry threats detected : 52
File items scanned : 196204
File threats detected : 1734
Adware.Vundo/Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#SSODL
Unclassified.Unknown Origin
HKU\S-1-5-21-996714675-410125178-2772349435-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{134F7664-943D-3BB9-65F5-70B91DF46C86}
HKCR\CLSID\{134F7664-943D-3BB9-65F5-70B91DF46C86}
Trojan.SmitFraud Variant
HKU\S-1-5-21-996714675-410125178-2772349435-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{77701E16-9BFE-4B63-A5B4-7BD156758A37}
HKCR\CLSID\{77701E16-9BFE-4B63-A5B4-7BD156758A37}
Adware.Tracking Cookie
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@incentaclick[2].txt
C:\Documents and Settings\Dan\Cookies\dan@interclick[2].txt
C:\Documents and Settings\Dan\Cookies\dan@adultreviews[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\dan@flightstats[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@adlegend[1].txt
C:\Documents and Settings\Dan\Cookies\dan@countrywide[2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@pornblograbbit[2].txt
C:\Documents and Settings\Dan\Cookies\dan@lynxtrack[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\dan@fortunecity[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@imrworldwide[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@collector[2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@akira[2].txt
C:\Documents and Settings\Dan\Cookies\dan@serving-sys[2].txt
C:\Documents and Settings\Dan\Cookies\dan@bizrate[2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\dan@questionmarket[2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\dan@123count[2].txt
C:\Documents and Settings\Dan\Cookies\dan@insightexpressai[2].txt
C:\Documents and Settings\Dan\Cookies\dan@xiti[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\dan@keywordmax[1].txt
C:\Documents and Settings\Dan\Cookies\dan@tacoda[1].txt
C:\Documents and Settings\Dan\Cookies\dan@doubleclick[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@adknowledge[2].txt
C:\Documents and Settings\Dan\Cookies\dan@trafficmp[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\dan@clips1[1].txt
C:\Documents and Settings\Dan\Cookies\dan@atwola[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@toplist[2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@tracking[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@real-find[1].txt
C:\Documents and Settings\Dan\Cookies\dan@revenue[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@qksrv[2].txt
C:\Documents and Settings\Dan\Cookies\dan@belnk[1].txt
C:\Documents and Settings\Dan\Cookies\dan@maxserving[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@compu49-porno26[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@indexstats[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\dan@burstnet[2].txt
C:\Documents and Settings\Dan\Cookies\dan@eurofuckfriends[1].txt
C:\Documents and Settings\Dan\Cookies\dan@mb[4].txt
C:\Documents and Settings\Dan\Cookies\dan@kontera[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@admarketplace[2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@qnsr[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@christmasscreensavers[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][5].txt
C:\Documents and Settings\Dan\Cookies\dan@popularscreensavers[2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@youporn[1].txt
C:\Documents and Settings\Dan\Cookies\dan@adtech[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@linuxquestions[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\dan@stopzilla[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\dan@media6degrees[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\dan@cgi-bin[5].txt
C:\Documents and Settings\Dan\Cookies\dan@revsci[2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@audioadserver[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@spylog[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@cashflowtracker[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\dan@cpapdiscount[2].txt
C:\Documents and Settings\Dan\Cookies\dan@advertising[2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@eyewonder[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@focalex[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\dan@cgi-bin[7].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\dan@azjmp[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\dan@adinterax[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@traffic[2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@regalinteractive[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][4].txt
C:\Documents and Settings\Dan\Cookies\dan@57386690[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@realmedia[1].txt
C:\Documents and Settings\Dan\Cookies\dan@screensavers[2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@allrealityxxxpass[1].txt
C:\Documents and Settings\Dan\Cookies\dan@payasyouclick[2].txt
C:\Documents and Settings\Dan\Cookies\dan@shopica[2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\dan@questionpro[1].txt
C:\Documents and Settings\Dan\Cookies\dan@cgi-bin[1].txt
C:\Documents and Settings\Dan\Cookies\dan@hqthefilmsxxx[1].txt
C:\Documents and Settings\Dan\Cookies\dan@homeclick[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@tribalfusion[2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@trafficdashboard[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@43836137[2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@adbrite[2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@partner2profit[2].txt
C:\Documents and Settings\Dan\Cookies\dan@findwhat[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@cgi-bin[4].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@thebestporn[2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\dan@insightfirst[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\dan@collective-media[2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\dan@teensweek[2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@9551721[2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\dan@nextstat[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@xxxcounter[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@toppornpictures[2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@momsteachingteens[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\dan@valueclick[2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@specificclick[1].txt
C:\Documents and Settings\Dan\Cookies\dan@findarticles[1].txt
C:\Documents and Settings\Dan\Cookies\dan@postaltracking[1].txt
C:\Documents and Settings\Dan\Cookies\dan@apmebf[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\dan@LPpacificsunwear[2].txt
C:\Documents and Settings\Dan\Cookies\dan@40715998[2].txt
C:\Documents and Settings\Dan\Cookies\dan@pro-market[2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@freetrafficcam[2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][3].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][3].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@riskwaters[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@7art-screensavers[2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@cgi-bin[2].txt
C:\Documents and Settings\Dan\Cookies\dan@sexetc[2].txt
C:\Documents and Settings\Dan\Cookies\dan@roiservice[2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][6].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@247realmedia[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@5[1].txt
C:\Documents and Settings\Dan\Cookies\dan@a[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\dan@2o7[2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@paycounter[1].txt
C:\Documents and Settings\Dan\Cookies\dan@couponmountain[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\dan@dealtime[2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@atdmt[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\dan@fastclick[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@akira[3].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\dan@5[3].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\dan@adultadworld[2].txt
C:\Documents and Settings\Dan\Cookies\dan@adultmatchdoctor[2].txt
C:\Documents and Settings\Dan\Cookies\dan@risk[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@12987554[2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@adultfriendfinder[2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@advertisenetworktour[1].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][2].txt
C:\Documents and Settings\Dan\Cookies\[email protected][1].txt
C:\Documents and Settings\Dan\Cookies\dan@mediaresponder[2].txt
C:\Documents and Settings\Dan\Cookies\dan@backcountry[2].txt
2mdn.net [ C:\Documents and Settings\Angela\Application Data\Macromedia\Flash Player\#SharedObjects\8E5WADV7 ]
adknowledge.com [ C:\Documents and Settings\Angela\Application Data\Macromedia\Flash Player\#SharedObjects\8E5WADV7 ]
interclick.com [ C:\Documents and Settings\Angela\Application Data\Macromedia\Flash Player\#SharedObjects\8E5WADV7 ]
web.adknowledge.com [ C:\Documents and Settings\Angela\Application Data\Macromedia\Flash Player\#SharedObjects\8E5WADV7 ]
doubleclick.net [ C:\Documents and Settings\Angela\Application Data\Macromedia\Flash Player\#SharedObjects\H2DVE88X ]
.advertising.com [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.doubleclick.net [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.realmedia.com [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.realmedia.com [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.realmedia.com [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.realmedia.com [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.apmebf.com [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.fastclick.net [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.fastclick.net [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.fastclick.net [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.atwola.com [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.tacoda.net [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.tacoda.net [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.tacoda.net [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.tacoda.net [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.adopt.euroclick.com [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.trafficmp.com [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.interclick.com [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.questionmarket.com [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.questionmarket.com [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
.socialmedia.com [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
ads.revsci.net [ C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\0f9mfj7l.default\cookies.sqlite ]
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\angela@2o7[2].txt
C:\Documents and Settings\Angela\Cookies\angela@2o7[4].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\angela@accounts[2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][3].txt
C:\Documents and Settings\Angela\Cookies\[email protected][4].txt
C:\Documents and Settings\Angela\Cookies\[email protected][5].txt
C:\Documents and Settings\Angela\Cookies\[email protected][6].txt
C:\Documents and Settings\Angela\Cookies\[email protected][8].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\angela@adbrite[2].txt
C:\Documents and Settings\Angela\Cookies\angela@adcentriconline[1].txt
C:\Documents and Settings\Angela\Cookies\angela@adecn[1].txt
C:\Documents and Settings\Angela\Cookies\angela@adecn[2].txt
C:\Documents and Settings\Angela\Cookies\angela@adecn[3].txt
C:\Documents and Settings\Angela\Cookies\angela@adinterax[1].txt
C:\Documents and Settings\Angela\Cookies\angela@adknowledge[2].txt
C:\Documents and Settings\Angela\Cookies\angela@adlegend[2].txt
C:\Documents and Settings\Angela\Cookies\angela@admarketplace[2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\angela@adprofile[2].txt
C:\Documents and Settings\Angela\Cookies\angela@adrevolver[1].txt
C:\Documents and Settings\Angela\Cookies\angela@adrevolver[3].txt
C:\Documents and Settings\Angela\Cookies\angela@adrevolver[4].txt
C:\Documents and Settings\Angela\Cookies\angela@adrevolver[5].txt
C:\Documents and Settings\Angela\Cookies\angela@adrevolver[6].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\angela@adserver[1].txt
C:\Documents and Settings\Angela\Cookies\angela@adserver[2].txt
C:\Documents and Settings\Angela\Cookies\angela@adserver[4].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\angela@adtech[1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\angela@adverticum[1].txt
C:\Documents and Settings\Angela\Cookies\angela@advertising[1].txt
C:\Documents and Settings\Angela\Cookies\angela@advertising[2].txt
C:\Documents and Settings\Angela\Cookies\angela@advertising[4].txt
C:\Documents and Settings\Angela\Cookies\angela@advertising[5].txt
C:\Documents and Settings\Angela\Cookies\angela@advertising[6].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\angela@apmebf[2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][3].txt
C:\Documents and Settings\Angela\Cookies\[email protected][4].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\angela@atdmt[1].txt
C:\Documents and Settings\Angela\Cookies\angela@atdmt[2].txt
C:\Documents and Settings\Angela\Cookies\angela@atdmt[4].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\angela@atwola[1].txt
C:\Documents and Settings\Angela\Cookies\angela@atwola[3].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\angela@azjmp[2].txt
C:\Documents and Settings\Angela\Cookies\angela@bannerspace[2].txt
C:\Documents and Settings\Angela\Cookies\angela@belnk[1].txt
C:\Documents and Settings\Angela\Cookies\angela@bfast[2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\angela@bizrate[1].txt
C:\Documents and Settings\Angela\Cookies\angela@bluestreak[2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\angela@casalemedia[1].txt
C:\Documents and Settings\Angela\Cookies\angela@casalemedia[2].txt
C:\Documents and Settings\Angela\Cookies\angela@casalemedia[3].txt
C:\Documents and Settings\Angela\Cookies\angela@casalemedia[4].txt
C:\Documents and Settings\Angela\Cookies\angela@casalemedia[5].txt
C:\Documents and Settings\Angela\Cookies\angela@casalemedia[6].txt
C:\Documents and Settings\Angela\Cookies\angela@casalemedia[7].txt
C:\Documents and Settings\Angela\Cookies\angela@casalemedia[8].txt
C:\Documents and Settings\Angela\Cookies\angela@casalemedia[9].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\angela@clickshift[1].txt
C:\Documents and Settings\Angela\Cookies\angela@clicksor[1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\angela@counter[1].txt
C:\Documents and Settings\Angela\Cookies\angela@countingdown[1].txt
C:\Documents and Settings\Angela\Cookies\angela@cpvfeed[2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\angela@dealtime[1].txt
C:\Documents and Settings\Angela\Cookies\angela@degree-finder[1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\angela@doubleclick[1].txt
C:\Documents and Settings\Angela\Cookies\angela@doubleclick[2].txt
C:\Documents and Settings\Angela\Cookies\angela@doubleclick[3].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\angela@emarketmakers[1].txt
C:\Documents and Settings\Angela\Cookies\angela@europe-countries[1].txt
C:\Documents and Settings\Angela\Cookies\angela@experclick[1].txt
C:\Documents and Settings\Angela\Cookies\angela@ez-tracks[1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\angela@fastclick[1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\angela@fixionmedia[1].txt
C:\Documents and Settings\Angela\Cookies\angela@fortunecity[1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\angela@hitbox[2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\angela@hotbar[1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\angela@ientry[2].txt
C:\Documents and Settings\Angela\Cookies\angela@indextools[1].txt
C:\Documents and Settings\Angela\Cookies\angela@inet-traffic[1].txt
C:\Documents and Settings\Angela\Cookies\angela@insightexpressai[1].txt
C:\Documents and Settings\Angela\Cookies\angela@insightexpresserdd[1].txt
C:\Documents and Settings\Angela\Cookies\angela@insightexpress[1].txt
C:\Documents and Settings\Angela\Cookies\angela@insightfirst[2].txt
C:\Documents and Settings\Angela\Cookies\angela@interclick[1].txt
C:\Documents and Settings\Angela\Cookies\angela@kanoodle[2].txt
C:\Documents and Settings\Angela\Cookies\angela@kontera[2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\angela@learntoquestion[2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\angela@maxserving[2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\angela@mediamatters[2].txt
C:\Documents and Settings\Angela\Cookies\angela@mediaplex[2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\angela@nbads[2].txt
C:\Documents and Settings\Angela\Cookies\angela@nextag[1].txt
C:\Documents and Settings\Angela\Cookies\angela@offeroptimizer[1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\angela@onlinerewardcenter[2].txt
C:\Documents and Settings\Angela\Cookies\angela@optimost[1].txt
C:\Documents and Settings\Angela\Cookies\angela@overture[2].txt
C:\Documents and Settings\Angela\Cookies\angela@partner2profit[1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\angela@partypoker[1].txt
C:\Documents and Settings\Angela\Cookies\angela@pbteen[1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\angela@pro-market[2].txt
C:\Documents and Settings\Angela\Cookies\angela@qksrv[1].txt
C:\Documents and Settings\Angela\Cookies\angela@qnsr[1].txt
C:\Documents and Settings\Angela\Cookies\angela@questionmarket[1].txt
C:\Documents and Settings\Angela\Cookies\angela@questionmarket[2].txt
C:\Documents and Settings\Angela\Cookies\angela@questionmarket[3].txt
C:\Documents and Settings\Angela\Cookies\angela@questionmarket[5].txt
C:\Documents and Settings\Angela\Cookies\angela@realmedia[1].txt
C:\Documents and Settings\Angela\Cookies\angela@realmedia[2].txt
C:\Documents and Settings\Angela\Cookies\angela@realmedia[3].txt
C:\Documents and Settings\Angela\Cookies\angela@realmedia[5].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\angela@revsci[1].txt
C:\Documents and Settings\Angela\Cookies\angela@revsci[2].txt
C:\Documents and Settings\Angela\Cookies\angela@rightmedia[1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][3].txt
C:\Documents and Settings\Angela\Cookies\[email protected][5].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\angela@serving-sys[2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\angela@smileycentral[2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\angela@spamblockerutility[2].txt
C:\Documents and Settings\Angela\Cookies\angela@specificclick[2].txt
C:\Documents and Settings\Angela\Cookies\angela@starware[2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\angela@stats-tracking[1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\angela@tacoda[2].txt
C:\Documents and Settings\Angela\Cookies\angela@tagworld[2].txt
C:\Documents and Settings\Angela\Cookies\angela@targetnet[1].txt
C:\Documents and Settings\Angela\Cookies\angela@teenpeople[1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\angela@toplist[1].txt
C:\Documents and Settings\Angela\Cookies\angela@toseeka[1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\angela@tradedoubler[1].txt
C:\Documents and Settings\Angela\Cookies\angela@trafficmp[2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\angela@tribalfusion[1].txt
C:\Documents and Settings\Angela\Cookies\angela@tribalfusion[2].txt
C:\Documents and Settings\Angela\Cookies\angela@tribalfusion[4].txt
C:\Documents and Settings\Angela\Cookies\angela@tripod[2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\angela@valueclick[1].txt
C:\Documents and Settings\Angela\Cookies\angela@valueclick[3].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\angela@weborama[1].txt
C:\Documents and Settings\Angela\Cookies\angela@webstats4u[2].txt
C:\Documents and Settings\Angela\Cookies\angela@windowsmedia[2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\angela@xiti[1].txt
C:\Documents and Settings\Angela\Cookies\angela@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkikicjgbowmdj6x9ny-1seq-2-2.stats.esomniture[2].txt
C:\Documents and Settings\Angela\Cookies\angela@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkisic5ahoaqdj6x9ny-1seq-2-2.stats.esomniture[1].txt
C:\Documents and Settings\Angela\Cookies\angela@y-1shz2prbmdj6wvny-1sez2pra2dj6wflisodpcboaudj6x9ny-1seq-2-2.stats.esomniture[2].txt
C:\Documents and Settings\Angela\Cookies\angela@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4qmdjilpaudj6x9ny-1seq-2-2.stats.esomniture[1].txt
C:\Documents and Settings\Angela\Cookies\angela@y-1shz2prbmdj6wvny-1sez2pra2dj6wjl4koc5oepqydj6x9ny-1seq-2-2.stats.esomniture[2].txt
C:\Documents and Settings\Angela\Cookies\angela@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlikicpkfoqydj6x9ny-1seq-2-2.stats.esomniture[2].txt
C:\Documents and Settings\Angela\Cookies\angela@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlogpazwcqq6dj6x9ny-1seq-2-2.stats.esomniture[2].txt
C:\Documents and Settings\Angela\Cookies\angela@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyqpdpcloqidj6x9ny-1seq-2-2.stats.esomniture[2].txt
C:\Documents and Settings\Angela\Cookies\angela@yieldmanager[1].txt
C:\Documents and Settings\Angela\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Cookies\angela@zedo[1].txt
C:\Documents and Settings\Angela\Local Settings\Temp\Cookies\angela@2o7[1].txt
C:\Documents and Settings\Angela\Local Settings\Temp\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Local Settings\Temp\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Local Settings\Temp\Cookies\angela@adrevolver[2].txt
C:\Documents and Settings\Angela\Local Settings\Temp\Cookies\angela@adrevolver[3].txt
C:\Documents and Settings\Angela\Local Settings\Temp\Cookies\[email protected][2].txt
C:\Documents and Settings\Angela\Local Settings\Temp\Cookies\angela@advertising[1].txt
C:\Documents and Settings\Angela\Local Settings\Temp\Cookies\angela@atdmt[2].txt
C:\Documents and Settings\Angela\Local Settings\Temp\Cookies\angela@atwola[1].txt
C:\Documents and Settings\Angela\Local Settings\Temp\Cookies\angela@burstnet[2].txt
C:\Documents and Settings\Angela\Local Settings\Temp\Cookies\angela@casalemedia[2].txt
C:\Documents and Settings\Angela\Local Settings\Temp\Cookies\angela@doubleclick[1].txt
C:\Documents and Settings\Angela\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Local Settings\Temp\Cookies\angela@fastclick[2].txt
C:\Documents and Settings\Angela\Local Settings\Temp\Cookies\angela@insightexpressai[1].txt
C:\Documents and Settings\Angela\Local Settings\Temp\Cookies\angela@mediaplex[1].txt
C:\Documents and Settings\Angela\Local Settings\Temp\Cookies\angela@qnsr[1].txt
C:\Documents and Settings\Angela\Local Settings\Temp\Cookies\angela@questionmarket[2].txt
C:\Documents and Settings\Angela\Local Settings\Temp\Cookies\angela@realmedia[2].txt
C:\Documents and Settings\Angela\Local Settings\Temp\Cookies\angela@revsci[1].txt
C:\Documents and Settings\Angela\Local Settings\Temp\Cookies\angela@tacoda[2].txt
C:\Documents and Settings\Angela\Local Settings\Temp\Cookies\angela@trafficmp[1].txt
C:\Documents and Settings\Angela\Local Settings\Temp\Cookies\angela@tribalfusion[2].txt
C:\Documents and Settings\Angela\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Angela\Local Settings\Temp\Cookies\angela@zedo[2].txt
files.adbrite.com [ C:\Documents and Settings\Betty Ann\Application Data\Macromedia\Flash Player\#SharedObjects\5X42T7NG ]
interclick.com [ C:\Documents and Settings\Betty Ann\Application Data\Macromedia\Flash Player\#SharedObjects\5X42T7NG ]
media.hotcams.com [ C:\Documents and Settings\Betty Ann\Application Data\Macromedia\Flash Player\#SharedObjects\5X42T7NG ]
vidii.hardsextube.com [ C:\Documents and Settings\Betty Ann\Application Data\Macromedia\Flash Player\#SharedObjects\5X42T7NG ]
www.maxporn.com [ C:\Documents and Settings\Betty Ann\Application Data\Macromedia\Flash Player\#SharedObjects\5X42T7NG ]
www.naiadsystems.com [ C:\Documents and Settings\Betty Ann\Application Data\Macromedia\Flash Player\#SharedObjects\5X42T7NG ]
.maxporn.com [ C:\Documents and Settings\Betty Ann\Application Data\Mozilla\Firefox\Profiles\1jkl65n1.default\cookies.sqlite ]
.*adult URL* [ C:\Documents and Settings\Betty Ann\Application Data\Mozilla\Firefox\Profiles\1jkl65n1.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Betty Ann\Application Data\Mozilla\Firefox\Profiles\1jkl65n1.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Betty Ann\Application Data\Mozilla\Firefox\Profiles\1jkl65n1.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Betty Ann\Application Data\Mozilla\Firefox\Profiles\1jkl65n1.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Betty Ann\Application Data\Mozilla\Firefox\Profiles\1jkl65n1.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Betty Ann\Application Data\Mozilla\Firefox\Profiles\1jkl65n1.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Betty Ann\Application Data\Mozilla\Firefox\Profiles\1jkl65n1.default\cookies.sqlite ]
.viacom.adbureau.net [ C:\Documents and Settings\Betty Ann\Application Data\Mozilla\Firefox\Profiles\1jkl65n1.default\cookies.sqlite ]
.viacom.adbureau.net [ C:\Documents and Settings\Betty Ann\Application Data\Mozilla\Firefox\Profiles\1jkl65n1.default\cookies.sqlite ]
.viacom.adbureau.net [ C:\Documents and Settings\Betty Ann\Application Data\Mozilla\Firefox\Profiles\1jkl65n1.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Betty Ann\Application Data\Mozilla\Firefox\Profiles\1jkl65n1.default\cookies.sqlite ]
media.mtvnservices.com [ C:\Documents and Settings\Betty Ann\Application Data\Mozilla\Firefox\Profiles\1jkl65n1.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Betty Ann\Application Data\Mozilla\Firefox\Profiles\1jkl65n1.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Betty Ann\Application Data\Mozilla\Firefox\Profiles\1jkl65n1.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Betty Ann\Application Data\Mozilla\Firefox\Profiles\1jkl65n1.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Betty Ann\Application Data\Mozilla\Firefox\Profiles\1jkl65n1.default\cookies.sqlite ]
.fastclick.net [ C:\Documents and Settings\Betty Ann\Application Data\Mozilla\Firefox\Profiles\1jkl65n1.default\cookies.sqlite ]
.overture.com [ C:\Documents and Settings\Betty Ann\Application Data\Mozilla\Firefox\Profiles\1jkl65n1.default\cookies.sqlite ]
.fastclick.net [ C:\Documents and Settings\Betty Ann\Application Data\Mozilla\Firefox\Profiles\1jkl65n1.default\cookies.sqlite ]
.overture.com [ C:\Documents and Settings\Betty Ann\Application Data\Mozilla\Firefox\Profiles\1jkl65n1.default\cookies.sqlite ]
.fastclick.net [ C:\Documents and Settings\Betty Ann\Application Data\Mozilla\Firefox\Profiles\1jkl65n1.default\cookies.sqlite ]
.fastclick.net [ C:\Documents and Settings\Betty Ann\Application Data\Mozilla\Firefox\Profiles\1jkl65n1.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Betty Ann\Application Data\Mozilla\Firefox\Profiles\1jkl65n1.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Betty Ann\Application Data\Mozilla\Firefox\Profiles\1jkl65n1.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Betty Ann\Application Data\Mozilla\Firefox\Profiles\1jkl65n1.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Betty Ann\Application Data\Mozilla\Firefox\Profiles\1jkl65n1.default\cookies.sqlite ]
.bs.serving-sys.com [ C:\Documents and Settings\Betty Ann\Applicatio
-
I still need to see the logs from MBAM, Security Check and also this one.
Please download: HiJackThis (http://go.trendmicro.com/free-tools/hijackthis/HijackThisInstaller.exe) to your Desktop.
- Double Click the HijackThis icon, located on your Desktop.
- By Default, it will install to: C:\Program Files\Trend Micro\HijackThis
- Accept the license agreement.
- Click the Open the Misc Tools section button.
- Place a checkmark beside Calculate MD5 of files if possible. Then, click Back.
- Click Do a System Scan and Save a Logfile. Or, if you see a white screen, click Scan.
- Please post the log in your next reply.
-
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4496
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
8/29/2010 12:15:41 PM
mbam-log-2010-08-29 (12-15-41).txt
Scan type: Full scan (C:\|)
Objects scanned: 481391
Time elapsed: 2 hour(s), 24 minute(s), 32 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> No action taken.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tobefekoni (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Dealio Toolbar\FF\components\dealioToolbarFF.dll (Adware.WidgiToolbar) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pfeajlhr (Rogue.AntivirusSuite.Gen) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uikuhfpd (Trojan.FakeAlert.Gen) -> No action taken.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> No action taken.
C:\Program Files\Dealio Toolbar\FF\components\dealioToolbarFF.dll (Adware.WidgiToolbar) -> No action taken.
-
Malwarebytes log after all things infected were removed
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4496
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
8/29/2010 12:22:21 PM
mbam-log-2010-08-29 (12-22-21).txt
Scan type: Full scan (C:\|)
Objects scanned: 481391
Time elapsed: 2 hour(s), 24 minute(s), 32 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tobefekoni (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Dealio Toolbar\FF\components\dealioToolbarFF.dll (Adware.WidgiToolbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pfeajlhr (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uikuhfpd (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\Program Files\Dealio Toolbar\FF\components\dealioToolbarFF.dll (Adware.WidgiToolbar) -> Quarantined and deleted successfully.
-
Log from Security Check
Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
McAfee AntiVirus Plus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 20
Java(TM) SE Runtime Environment 6 Update 1
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java 2 Runtime Environment, SE v1.4.2_03
Out of date Java installed!
Adobe Flash Player 10.1.82.76
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Reader 6.0.1
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Reader 8.1.1
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.8)
````````````````````````````````
Process Check:
objlist.exe by Laurent
````````````````````````````````
DNS Vulnerability Check:
Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)
``````````End of Log````````````
-
Log from HIJackthis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:04 PM, on 8/29/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Upromise\dca-ua.exe
C:\Program Files\Upromise\UpromiseTray.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bankofamerica.com/signoff/?state=model
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6522
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\SearchSettings.dll
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exeC:\WINDOWS\system32\Userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll (filesize 1205560 bytes, MD5 764B1831B42DB6E4F68B9AEAED433A82)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (filesize 62080 bytes, MD5 C11F6A1F61481E24BE3FDC06EA6F7D2A)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (filesize 198136 bytes, MD5 F8981F09E8DA4FDB7F6B6E2B5361AEAE)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (filesize 118836 bytes, MD5 3A79721C9ACC30CBA57266854C20238B)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100517205254.dll (filesize 73288 bytes, MD5 8F2C804A891173CF42BE3E7FBD9DA550)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (filesize 256112 bytes, MD5 783AD24A77CD964B9888F27535FCC56E)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (filesize 147456 bytes, MD5 44BCFF08947790E74BD7CC7532D2B793)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (filesize 764912 bytes, MD5 CD91E666B2446530583FBFFCF537BE4C)
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll (filesize 1275176 bytes, MD5 31D78CE999FA1BE96D9B821A8E60966A)
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (filesize 228256 bytes, MD5 6FCCE07F8FA7824CB1EFCC1E44C97D33)
O2 - BHO: DCA - {B49699FC-1665-4414-A1CB-C4A2A4A13EEC} - C:\Program Files\Upromise\dca-bho.dll (filesize 329608 bytes, MD5 2EB59A4C4399001C5677CBC1A22137FB)
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (filesize 458736 bytes, MD5 CB84DFAFF68CD27E840251343B9B8E99)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (filesize 41760 bytes, MD5 385BD69743EA92E76CDF07B3345A25D5)
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\SearchSettings.dll (filesize 1109504 bytes, MD5 B2370F9E01367E37D6A5F3BE1A02E1D1)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (filesize 79648 bytes, MD5 4E2BB6D2677B42AD04BE18A6E9817B68)
O2 - BHO: ToolHelper - {EDC0F17F-F4B7-47e4-B73E-887FAEB376FA} - C:\Program Files\Upromise\upromisetoolbar.dll (filesize 983040 bytes, MD5 108E40EECA7561371ECE6253FF227054)
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\YTSingleInstance.dll (filesize 158520 bytes, MD5 5DC423D89A927F04F7C562EEDD904012)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll (filesize 172032 bytes, MD5 9BC0B8E6DD2FDB3A6B1C4301E8482F8F)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (filesize 147456 bytes, MD5 44BCFF08947790E74BD7CC7532D2B793)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll (filesize 1205560 bytes, MD5 764B1831B42DB6E4F68B9AEAED433A82)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (filesize 228256 bytes, MD5 6FCCE07F8FA7824CB1EFCC1E44C97D33)
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll (filesize 1275176 bytes, MD5 31D78CE999FA1BE96D9B821A8E60966A)
O3 - Toolbar: Upromise TurboSaver - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files\Upromise\upromisetoolbar.dll (filesize 983040 bytes, MD5 108E40EECA7561371ECE6253FF227054)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (filesize 256112 bytes, MD5 783AD24A77CD964B9888F27535FCC56E)
O3 - Toolbar: (no name) - {01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - (no file)
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exeC:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" (filesize 53248 bytes, MD5 6A66B6A314F6EF30CD1CF82A17DAAD52)
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exeC:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXEC:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXEC:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" (filesize 290816 bytes, MD5 E02C0E78E5CFB01BF9D1866DBA18B456)
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeC:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r (filesize 110592 bytes, MD5 22FD4E58D69969A9165721C797D54931)
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER (filesize 26112 bytes, MD5 849D97FE4CC09CFC2772D10F641E1BAF)
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" (filesize 110592 bytes, MD5 1B0FB5F0975957ADFD02C555F5674F60)
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exeC:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup (filesize 29744 bytes, MD5 6542DC2E93BCE4D4289FA70A4D367DC2)
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE (filesize 28672 bytes, MD5 97615AB538986082787E4989E03C48F7)
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exeC:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" (filesize 16384 bytes, MD5 267B3A856E9F4DB1CABD4E6DB71E07D2)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (filesize 39792 bytes, MD5 E28D00EC675F5F5A5A0555E7A4523A6E)
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter (filesize 206064 bytes, MD5 00D1FB0073B4A8BD2989EA8FF4CC792B)
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exeC:\Program Files\Search Settings\SearchSettings.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" (filesize 144784 bytes, MD5 6AB4C021FBD36DC6764924C312428D97)
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey (filesize 1193848 bytes, MD5 1A4FEE255228AB6EFCAA81BC6BE2D591)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (filesize 141608 bytes, MD5 869A67EE7C237DD9F9104854CAE0A9CD)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (filesize 421888 bytes, MD5 49385AFEE6EDFA0A0177BE6651AADD77)
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript (filesize 1090952 bytes, MD5 D594EA4AC1C0E4675EF2F0063950ABEF)
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (filesize 460784 bytes, MD5 B75FDBF14073D72C50624CC8338DD534)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (filesize 68856 bytes, MD5 E616A6A6E91B0A86F2F6217CDE835FFE)
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter (filesize 206064 bytes, MD5 00D1FB0073B4A8BD2989EA8FF4CC792B)
O4 - HKCU\..\Run: [Upromise Update] C:\Program Files\Upromise\dca-ua.exeC:\Program Files\Upromise\dca-ua.exe
O4 - HKCU\..\Run: [Upromise Tray] C:\Program Files\Upromise\UpromiseTray.exeC:\Program Files\Upromise\UpromiseTray.exe
O4 - HKCU\..\Run: [My Faster PC] c:\program files\consumersoft\my faster pc\mfpchelper.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (filesize 136176 bytes, MD5 F02A533F517EB38333CB12A9E8963773)
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet (filesize 5252408 bytes, MD5 C0D12E6C85FC6DD7FF1DBB04F2DC933B)
O4 - HKUS\S-1-5-19\..\Run: [tobefekoni] Rundll32.exe "C:\WINDOWS\system32\kirofove.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [tobefekoni] Rundll32.exe "C:\WINDOWS\system32\kirofove.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe (filesize 393216 bytes, MD5 01F7BA16BC60D65149FA36F355319171)
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe (filesize 217194 bytes, MD5 CFE5228556C93D03D6753E7953CCD4A9)
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe (filesize 36953 bytes, MD5 6C56AF320E0C65B14B3B36F655A5C68E)
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe (filesize 323584 bytes, MD5 9507E64C96FD578E9C1AB31108040059)
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe (filesize 323646 bytes, MD5 B23ED6DEA5EC6A8E014A8F09E59981C0)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (filesize 83360 bytes, MD5 5BC65464354A9FD3BEAA28E18839734A)
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html (filesize 747 bytes, MD5 9E46AF9EC78CE778ECC46CBAC1D258D8)
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Upromise TurboSaver - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files\Upromise\upromisetoolbar.dll (filesize 983040 bytes, MD5 108E40EECA7561371ECE6253FF227054)
O9 - Extra 'Tools' menuitem: Upromise TurboSaver - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files\Upromise\upromisetoolbar.dll (filesize 983040 bytes, MD5 108E40EECA7561371ECE6253FF227054)
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll (filesize 1275176 bytes, MD5 31D78CE999FA1BE96D9B821A8E60966A)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (filesize 198136 bytes, MD5 F8981F09E8DA4FDB7F6B6E2B5361AEAE)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll (filesize 1499136 bytes, MD5 26CB10FA893F940AB09713FF46DCDADE)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (filesize 558080 bytes, MD5 AAC1D4EE39DF138C5D30AC5883E3B59F)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (filesize 558080 bytes, MD5 AAC1D4EE39DF138C5D30AC5883E3B59F)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://corpsysdev.metlife.com/Citrix/MetaFrame/ICAWEB_common/en/ica32/wficat.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234623417187
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - http://www.aquire.com/codebase70/OrgPubX.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://attwm.webex.com/client/v_mywebex-pso-attwm/webex/ieatgpc.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (filesize 228256 bytes, MD5 6FCCE07F8FA7824CB1EFCC1E44C97D33)
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (filesize 228256 bytes, MD5 6FCCE07F8FA7824CB1EFCC1E44C97D33)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLLC:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exeC:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Application Updater - Spigot, Inc. - C:\Program Files\Application Updater\ApplicationUpdater.exeC:\Program Files\Application Updater\ApplicationUpdater.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exeC:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exeC:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeC:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exeC:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeC:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exeC:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeC:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exeC:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exeC:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exeC:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exeC:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exeC:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exeC:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exeC:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exeC:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exeC:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exeC:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: PCCare Premium - Unknown owner - C:\Program Files\PCCare\Client\srvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exeC:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exeC:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exeC:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exeC:\WINDOWS\wanmpsvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exeC:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 26199 bytes
-
Update Your Java (JRE)
Old versions of Java have vulnerabilities that malware can use to infect your system.
First Verify your Java Version (http://www.java.com/en/download/installed.jsp)
If there are any other version(s) installed then update now.
Get the new version (if needed)
If your version is out of date install the newest version of the Sun Java Runtime Environment (http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html).
Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.
Be sure to close ALL open web browsers before starting the installation.
Remove any old versions
1. Download JavaRa (http://raproducts.org/click/click.php?id=1) and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.
4. Run CCleaner.
Additional Note: The Java Quick Starter (JQS.exe) (http://java.sun.com/javase/6/docs/technotes/guides/jweb/otherFeatures/jqs.html) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
***********************************
Please download the newest version of Adobe Acrobat Reader from Adobe.com (http://www.adobe.com/products/acrobat/readstep2.html)
Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.
Once old versions are gone, please install the newest version.
********************************************
You have Viewpoint installed.
Viewpoint Media Player/Manager/Toolbar is considered as Foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
More information:
* ViewMgr.exe - Useless (http://www.greatis.com/appdata/u/v/viewmgr.exe.htm)
* Viewpoint to Plunge Into Adware (http://www.clickz.com/news/article.php/3561546/)
It is suggested to remove the program now. Go to Start > Control Panel > Add/Remove Programs - (Vista & Win7 is Programs and Features) and remove the following programs if present.
* Viewpoint
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
* Viewpoint Experience Technology
************************************
Download Disable/Remove Windows Messenger (http://www.majorgeeks.com/DisableRemove_Windows_Messenger_d2327.html) to the desktop to remove Windows Messenger.
Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.
Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.
Exit out of MessengerDisable then delete the two files that were put on the desktop.
******************************************
Copy and paste the text in the code box below into Notepad.
@echo off
del C:\WINDOWS\system32\kirofove.dll
del begone.bat
exit
Then click File > Save as
Save to the Desktop as begone.bat
And Save as type: All Files.
Double-click on begone.bat to run it.
******************************************
Open HijackThis and select Do a system scan only
Place a check mark next to the following entries: (if there)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6522
O3 - Toolbar: (no name) - {01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - (no file)
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript (filesize 1090952 bytes, MD5 D594EA4AC1C0E4675EF2F0063950ABEF)
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
O4 - HKUS\S-1-5-19\..\Run: [tobefekoni] Rundll32.exe "C:\WINDOWS\system32\kirofove.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [tobefekoni] Rundll32.exe "C:\WINDOWS\system32\kirofove.dll",s (User 'NETWORK SERVICE')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
Internet Explorer's security is based upon a set of zones. Each zone has different security in terms of what scripts and applications can be run from a site that is in that zone. There is a security zone called the Trusted Zone. This zone has the lowest security and allows scripts and applications from sites in this zone to run without your knowledge. It is therefore a popular setting for malware sites to use so that future infections can be easily done on your computer without your knowledge as these sites will be in the Trusted Zone. Therefore, I recommend that nothing be allowed in the trusted zone. If you agree, please do the following.Please place a check mark next to this/these line/lines.
O15 - Trusted Zone: http://*.mcafee.com
Important: Close all open windows except for HijackThis and then click Fix checked.
Once completed, exit HijackThis.
******************************************
Download ComboFix by sUBs from one of the below links.
Important! You MUST save ComboFix to your desktop
link # 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link # 2 (http://subs.geekstogo.com/ComboFix.exe)
Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Double click on ComboFix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
When the scan completes it will open a text window.
Post the contents of that log in your next reply.
Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.
-
Combo fix log
ComboFix 10-09-03.02 - Dan 09/04/2010 11:22:56.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.504 [GMT -4:00]
Running from: c:\documents and settings\Dan\My Documents\Downloads\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Betty Ann\Application Data\Dealio
c:\documents and settings\Betty Ann\Application Data\Dealio\res\widgets.xml
c:\documents and settings\Betty Ann\Application Data\Dealio\temp\http___www_dealio_com_rss_coupons-deals_dotd_.xml
c:\documents and settings\Cara\Application Data\Dealio
c:\documents and settings\Cara\Application Data\Dealio\res\widgets.xml
c:\documents and settings\Cara\Application Data\Dealio\temp\http___www_dealio_com_rss_coupons-deals_dotd_.xml
c:\documents and settings\Dan\Application Data\Dealio
c:\documents and settings\Dan\Application Data\Dealio\res\widgets.xml
c:\documents and settings\Dan\Application Data\Dealio\temp\http___www_dealio_com_rss_coupons-deals_dotd_.xml
c:\program files\Dealio Toolbar
c:\program files\Dealio Toolbar\FF\chrome.manifest
c:\program files\Dealio Toolbar\FF\chrome\content\chevron.js
c:\program files\Dealio Toolbar\FF\chrome\content\chevron.xul
c:\program files\Dealio Toolbar\FF\chrome\content\login.js
c:\program files\Dealio Toolbar\FF\chrome\content\login.xul
c:\program files\Dealio Toolbar\FF\chrome\content\parser.js
c:\program files\Dealio Toolbar\FF\chrome\content\RssTickerWidget.js
c:\program files\Dealio Toolbar\FF\chrome\content\searchbox.js
c:\program files\Dealio Toolbar\FF\chrome\content\searchbox.xul
c:\program files\Dealio Toolbar\FF\chrome\content\widgichevron.js
c:\program files\Dealio Toolbar\FF\chrome\content\widgicomm.js
c:\program files\Dealio Toolbar\FF\chrome\content\widgihandling.js
c:\program files\Dealio Toolbar\FF\chrome\content\widgilisteners.js
c:\program files\Dealio Toolbar\FF\chrome\content\widgitoolbarplugin.js
c:\program files\Dealio Toolbar\FF\chrome\content\widgitoolbarplugin.xul
c:\program files\Dealio Toolbar\FF\chrome\content\widgiui.js
c:\program files\Dealio Toolbar\FF\chrome\locale\EN-US\searchbox.dtd
c:\program files\Dealio Toolbar\FF\chrome\locale\EN-US\widgitoolbarplugin.dtd
c:\program files\Dealio Toolbar\FF\chrome\locale\EN-US\widgitoolbarplugin.properties
c:\program files\Dealio Toolbar\FF\chrome\locale\EN-US\yahoo-search.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\amazon.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\apple.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\barnes.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\bestbuy.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\chevron.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\dealio_logo.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\dealio_logo_hover.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\ebay.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\icon_settings.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\macys.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\newegg.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\overstock.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search-button-hover.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search-button.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search-chevron-hover.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search-chevron.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search_amazon.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search_dealio.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search_ebay.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search_yahoo.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\searchbox.css
c:\program files\Dealio Toolbar\FF\chrome\skin\separator.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\target.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\walmart.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\widgitoolbarplugin.css
c:\program files\Dealio Toolbar\FF\components\config.ini
c:\program files\Dealio Toolbar\FF\components\IFBHOHelperWidgiToolbar.xpt
c:\program files\Dealio Toolbar\FF\components\IFBHOWidgiToolbar.xpt
c:\program files\Dealio Toolbar\FF\install.rdf
c:\program files\Dealio Toolbar\IE\4.0.2\config.ini
c:\program files\Dealio Toolbar\Res\amazon.gif
c:\program files\Dealio Toolbar\Res\apple.gif
c:\program files\Dealio Toolbar\Res\barnes.gif
c:\program files\Dealio Toolbar\Res\bestbuy.gif
c:\program files\Dealio Toolbar\Res\dealio_logo.gif
c:\program files\Dealio Toolbar\Res\dealio_logo_hover.gif
c:\program files\Dealio Toolbar\Res\ebay.gif
c:\program files\Dealio Toolbar\Res\icon_settings.gif
c:\program files\Dealio Toolbar\Res\macys.gif
c:\program files\Dealio Toolbar\Res\newegg.gif
c:\program files\Dealio Toolbar\Res\overstock.gif
c:\program files\Dealio Toolbar\Res\search-button-hover.gif
c:\program files\Dealio Toolbar\Res\search-button.gif
c:\program files\Dealio Toolbar\Res\search-chevron-hover.gif
c:\program files\Dealio Toolbar\Res\search-chevron.gif
c:\program files\Dealio Toolbar\Res\search_amazon.gif
c:\program files\Dealio Toolbar\Res\search_dealio.gif
c:\program files\Dealio Toolbar\Res\search_ebay.gif
c:\program files\Dealio Toolbar\Res\search_yahoo.gif
c:\program files\Dealio Toolbar\Res\target.gif
c:\program files\Dealio Toolbar\Res\walmart.gif
c:\program files\Dealio Toolbar\Res\widgets.xml
c:\program files\Search Settings
c:\program files\Search Settings\FF\chrome.manifest
c:\program files\Search Settings\FF\chrome\content\plugin.js
c:\program files\Search Settings\FF\chrome\content\plugin.xul
c:\program files\Search Settings\FF\chrome\content\protection.js
c:\program files\Search Settings\FF\chrome\content\utils.js
c:\program files\Search Settings\FF\chrome\locale\en-US\searchsettingsplugin.dtd
c:\program files\Search Settings\FF\chrome\locale\en-US\searchsettingsplugin.properties
c:\program files\Search Settings\FF\components\IFBHOSearch.xpt
c:\program files\Search Settings\FF\components\IFBHOSearchHelperEngine.xpt
c:\program files\Search Settings\FF\components\IFHelperPreferences.xpt
c:\program files\Search Settings\FF\components\SearchSettingsFF.dll
c:\program files\Search Settings\FF\install.rdf
c:\program files\Search Settings\SeARchsettings.dll
c:\program files\Search Settings\SearchSettings.exe
C:\Thumbs.db
----- BITS: Possible infected sites -----
hxxp://download.yimg.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_FAD
((((((((((((((((((((((((( Files Created from 2010-08-04 to 2010-09-04 )))))))))))))))))))))))))))))))
.
2010-09-04 14:11 . 2010-09-04 14:12 -------- d-----w- c:\program files\CCleaner
2010-08-29 16:36 . 2010-08-29 16:36 -------- d-----w- c:\program files\Trend Micro
2010-08-29 00:16 . 2010-08-29 00:16 -------- d-----w- c:\documents and settings\Dan\Application Data\Malwarebytes
2010-08-29 00:15 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-29 00:15 . 2010-08-29 00:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-29 00:15 . 2010-08-29 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-29 00:15 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-28 19:22 . 2010-08-28 19:22 -------- d-----w- c:\documents and settings\Dan\Application Data\SUPERAntiSpyware.com
2010-08-28 19:22 . 2010-08-28 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-08-28 19:22 . 2010-08-28 19:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-28 18:25 . 2010-08-28 18:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\MSN6
2010-08-28 18:25 . 2010-08-28 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6
2010-08-28 17:59 . 2010-08-28 17:59 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-08-28 17:12 . 2010-08-28 17:12 -------- d-sh--w- c:\documents and settings\Betty Ann\IETldCache
2010-08-28 16:17 . 2010-08-28 16:17 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-08-28 14:16 . 2010-08-28 14:16 -------- d-----w- c:\windows\system32\scripting
2010-08-28 14:16 . 2010-08-28 14:16 -------- d-----w- c:\windows\l2schemas
2010-08-28 14:16 . 2010-08-28 14:16 -------- d-----w- c:\windows\system32\en
2010-08-28 07:20 . 2010-08-28 07:20 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-08-28 07:00 . 2010-08-29 07:01 -------- d-----w- c:\windows\ie8updates
2010-08-28 04:08 . 2010-06-24 12:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-08-28 04:08 . 2010-06-24 12:21 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-08-28 04:08 . 2010-06-24 12:21 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-08-28 03:15 . 2010-08-28 03:15 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-08-27 23:36 . 2010-08-27 23:36 -------- d-sh--w- c:\documents and settings\Dan\IETldCache
2010-08-27 23:30 . 2010-08-27 23:31 -------- dc-h--w- c:\windows\ie8
2010-08-26 12:37 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-08-26 12:37 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-08-26 12:37 . 2010-06-18 13:36 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-08-26 12:32 . 2009-06-10 13:19 2066432 ------w- c:\windows\system32\dllcache\mstscax.dll
2010-08-26 12:16 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-08-26 12:16 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-08-26 12:02 . 2010-08-26 12:02 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Yahoo
2010-08-26 12:01 . 2010-08-26 12:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Search Settings
2010-08-26 12:01 . 2010-08-26 12:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AIM Toolbar
2010-08-26 11:59 . 2010-08-26 11:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
2010-08-26 11:55 . 2010-08-26 11:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-08-26 11:54 . 2010-08-26 11:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2010-08-26 11:54 . 2010-08-26 11:54 -------- d--h--w- c:\documents and settings\Administrator\Application Data\GTek
2010-08-26 11:53 . 2010-08-26 11:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Musicmatch
2010-08-26 11:53 . 2010-08-26 11:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\SupportSoft
2010-08-26 11:53 . 2010-08-26 12:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-08-26 11:53 . 2010-08-26 11:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder
2010-08-24 19:27 . 2010-08-29 20:49 -------- d-----w- c:\documents and settings\Betty Ann\Application Data\OpenOffice.org2
2010-08-22 12:58 . 2010-08-22 13:01 -------- d-----w- c:\documents and settings\Betty Ann\Local Settings\Application Data\Adobe
2010-08-21 21:42 . 2010-08-27 10:24 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\vtergwmow
2010-08-15 20:21 . 2010-08-15 20:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-08-13 12:50 . 2010-08-13 12:51 -------- d-----w- c:\program files\QuickTime
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-04 15:54 . 2008-03-24 21:53 -------- d-----w- c:\documents and settings\Dan\Application Data\OpenOffice.org2
2010-09-04 15:44 . 2004-09-20 15:25 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000004-00000000-00000001-00001102-00000004-10031102}.dat
2010-09-04 15:44 . 2004-09-20 15:25 288 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000001-00001102-00000004-10031102}.dat
2010-09-04 14:43 . 2004-09-20 15:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-09-04 14:43 . 2004-09-20 15:24 -------- d-----w- c:\program files\Viewpoint
2010-09-04 14:27 . 2004-10-10 18:48 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-04 13:57 . 2004-09-20 15:16 -------- d-----w- c:\program files\Java
2010-09-04 13:50 . 2004-09-20 15:16 -------- d-----w- c:\program files\Common Files\Java
2010-08-28 14:21 . 2004-03-20 17:57 89127 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2010-08-26 12:01 . 2005-09-24 22:16 -------- d-----w- c:\program files\Google
2010-08-26 11:52 . 2005-01-23 19:06 -------- d-----w- c:\program files\Web Publish
2010-08-22 12:34 . 2005-11-12 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-08-22 12:34 . 2007-05-27 13:15 -------- d--h--r- c:\documents and settings\Betty Ann\Application Data\yahoo!
2010-08-22 01:24 . 2009-08-09 13:53 -------- d-----w- c:\documents and settings\Betty Ann\Application Data\Search Settings
2010-07-31 16:30 . 2010-07-31 16:29 -------- d-----w- c:\program files\iTunes
2010-07-31 16:29 . 2004-12-25 20:19 -------- d-----w- c:\program files\iPod
2010-07-31 16:29 . 2008-01-17 01:27 -------- d-----w- c:\program files\Common Files\Apple
2010-07-31 16:21 . 2008-03-28 22:06 -------- d-----w- c:\program files\Safari
2010-07-17 16:17 . 2010-07-17 16:17 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2010-07-17 09:00 . 2010-05-02 21:35 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-14 02:01 . 2010-07-14 01:59 -------- d-----w- c:\documents and settings\Dan\Application Data\Yahoo!
2010-07-14 01:59 . 2005-11-12 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo!
2010-07-14 01:59 . 2004-12-28 01:54 -------- d-----w- c:\program files\Yahoo!
2010-06-30 12:31 . 2004-03-30 01:48 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2005-04-27 14:54 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2003-09-25 14:35 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2003-03-28 11:54 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-03-19 22:37 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2004-03-19 22:37 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-14 07:41 . 2004-03-19 22:40 1172480 ----a-w- c:\windows\system32\msxml3.dll
2008-09-05 12:32 . 2008-09-05 12:32 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2010-04-27 21:16 . 2010-05-15 20:05 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 68856]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Upromise Update"="c:\program files\Upromise\dca-ua.exe" [2009-04-13 96136]
"Upromise Tray"="c:\program files\Upromise\UpromiseTray.exe" [2009-04-14 139264]
"Google Update"="c:\documents and settings\Dan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-05-29 136176]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-26 335872]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"AsioReg"="CTASIO.DLL" [2003-02-20 110592]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2004-09-20 26112]
"MMTray"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2006-01-19 110592]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe" [2006-01-19 11776]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-05 29744]
"StopSignSsTsMon"="c:\program files\Acceleration Software\Anti-Virus\sstsmon.dll" [2005-12-16 136864]
"CTHelper"="CTHELPER.EXE" [2003-02-20 28672]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-07-13 47904]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-25 1193848]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
c:\documents and settings\Betty Ann\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
c:\documents and settings\Dan\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2004-9-20 36953]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-9-20 24576]
Forget Me Not.lnk - c:\program files\Broderbund\AG CreataCard\AGRemind.exe [2005-1-23 323584]
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-6-11 323646]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-6-11 147456]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\WINDOWS\\SYSTEM32\\mmc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [5/15/2010 4:05 PM 82952]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [1/8/2010 1:51 AM 380928]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [1/15/2009 9:19 AM 88176]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/15/2010 4:05 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [5/15/2010 4:05 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [5/15/2010 4:05 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [5/15/2010 4:05 PM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [5/15/2010 4:05 PM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [5/15/2010 4:05 PM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [5/15/2010 4:05 PM 88480]
S2 GDNYYOFS;GDNYYOFS;\??\c:\windows\system32\gdnyyofs.otb --> c:\windows\system32\gdnyyofs.otb [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/15/2010 4:16 PM 136176]
S2 PCCare Premium;PCCare Premium;c:\program files\PCCare\Client\srvc.exe --> c:\program files\PCCare\Client\srvc.exe [?]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [9/28/2005 6:10 PM 29744]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [5/15/2010 4:05 PM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [5/15/2010 4:05 PM 83496]
--- Other Services/Drivers In Memory ---
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
2010-08-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2007-03-03 c:\windows\Tasks\FRU Task 2002-06-11 17:56ewlett-Packard2002-06-11 17:56p psc 2200 series0873DBB30DAF953F7DCEA1BDCC4F78BFD B130745165022501.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-06-11 15:56]
2010-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-15 20:16]
2010-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-15 20:16]
2010-09-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-996714675-410125178-2772349435-1006Core.job
- c:\documents and settings\Dan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-29 12:27]
2010-09-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-996714675-410125178-2772349435-1006UA.job
- c:\documents and settings\Dan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-29 12:27]
2010-09-04 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-02-18 14:32]
2010-09-04 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-02-18 14:32]
2005-07-16 c:\windows\Tasks\{CA4BDAC1-BACD-4709-99AD-9515267BF538}_CARAANGELA_Cara.job
- c:\windows\system32\MOBSYNC.EXE [2004-03-19 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bankofamerica.com/signoff/?state=model
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: musicmatch.com\online
DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} - hxxp://www.aquire.com/codebase70/OrgPubX.cab
FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\2lyxdypp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bankofamerica.com/signoff/?state=model
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=867034&p=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Dan\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Aim6 - (no file)
HKCU-Run-My Faster PC - c:\program files\consumersoft\my faster pc\mfpchelper.exe
HKLM-Run-1A:Stardock TrayMonitor - (no file)
HKLM-Run-SearchSettings - c:\program files\Search Settings\SearchSettings.exe
Notify-ckpNotify - (no file)
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-04 11:48
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GDNYYOFS]
"ImagePath"="\??\c:\windows\system32\gdnyyofs.otb"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1100)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(6076)
c:\windows\system32\WININET.dll
c:\windows\system32\ctagent.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\wanmpsvc.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\CTHELPER.EXE
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
c:\program files\OpenOffice.org 2.3\program\soffice.exe
c:\program files\OpenOffice.org 2.3\program\soffice.BIN
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\windows\System32\HPZipm12.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-09-04 12:03:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-04 16:03
Pre-Run: 185,820,041,216 bytes free
Post-Run: 187,328,290,816 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
- - End Of File - - 19711CC127D208ADF76966CC35CA40CF
-
Re-running ComboFix to remove infections:
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
DDS::
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: musicmatch.com\online
Driver::
GDNYYOFS
- Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img19.imageshack.us/img19/5660/cfscriptb4.gif)
- Referring to the picture above, drag CFScript into ComboFix.exe
- When finished, it shall produce a log for you at C:\ComboFix.txt
- Please post the contents of the log in your next reply.
*********************************
* Download the following tool: RootRepeal - Rootkit Detector (http://rootrepeal.googlepages.com/)
* Direct download link is here: RootRepeal.zip (http://rootrepeal.googlepages.com/RootRepeal.zip)
* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of such programs and how to disable them.
* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.
-
Combofix Log
ComboFix 10-09-06.02 - Dan 09/06/2010 15:46:26.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.385 [GMT -4:00]
Running from: C:\Documents and Settings\Dan\My Documents\Downloads\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dan\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
RootRepeal Log
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/09/06 18:06
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xEE67E000 Size: 479232 File Visible: No Signed: -
Status: -
Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF7A20000 Size: 7936 File Visible: - Signed: -
Status: Hidden from the Windows API!
Name: mrxdav.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Address: 0xED6AA000 Size: 180608 File Visible: - Signed: -
Status: Hidden from the Windows API!
Name: mrxsmb.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Address: 0xEE71B000 Size: 455680 File Visible: - Signed: -
Status: Hidden from the Windows API!
Name: Mup.sys
Image Path: Mup.sys
Address: 0xF7205000 Size: 105344 File Visible: - Signed: -
Status: Hidden from the Windows API!
Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF724C000 Size: 574976 File Visible: - Signed: -
Status: Hidden from the Windows API!
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEBD7C000 Size: 49152 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
Path: C:\Documents and Settings\Cara\Local Settings\temp
Status: Visible to the Windows API, but not on disk.
==EOF==
-
I'd like to scan your machine with ESET OnlineScan
•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
•Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png) button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
- Double click on the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png) icon on your desktop.
•Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png)
•Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png) button.
•Accept any security warnings from your browser.
•Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png)
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png)
•Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png), and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png) button.
•Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png)
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
-
ESETScan results
Note these have not been removed since I chose scan archives only
C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe probably a variant of Win32/Agent.HZHBURL trojan
C:\Documents and Settings\Cara\Shared\01 Track 1.wma WMA/TrojanDownloader.Wimad.K trojan
C:\Documents and Settings\Cara\Shared\06 Track 6.wma WMA/TrojanDownloader.Wimad.K trojan
C:\Qoobox\Quarantine\C\Program Files\Search Settings\SearchSettings.dll.vir Win32/Adware.Toolbar.Dealio application
C:\Qoobox\Quarantine\C\Program Files\Search Settings\SearchSettings.exe.vir Win32/Adware.Toolbar.Dealio application
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1849\A0299349.dll Win32/Adware.Toolbar.Dealio application
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1849\A0299350.exe Win32/Adware.Toolbar.Dealio application
C:\WINDOWS\Downloaded Program Files\WebEx\424\atpdmod.dll probably a variant of Win32/Genetik trojan
C:\WINDOWS\Downloaded Program Files\WebEx\424\webexmgr.dll probably a variant of Win32/Genetik trojan
-
That looks good. How's your computer running?
-
Seems to be running fine ! Thank you for the help you are awsome!!
So a couple of questions:
1) Should I re-run ESETScan again and let it remove any infected files?
2) Is it safe now to use this computer for on-line banking and purchase transactions?
3) Should I run any of these utilities on a regular basis?
Thanks
-
Should I re-run ESETScan again and let it remove any infected files?
Yes, please and post the log. Once I see the log, I will follow up with some cleaning instructions.
Should I run any of these utilities on a regular basis?
You can keep SAS and MBAM. Update them and run regularly.
Is it safe now to use this computer for on-line banking and purchase transactions?
Yes. There were no signs of rootkits but you should first install a third-party firewall and keep your AV up to date. I've included a list of free ones you can download and use. A warning. A third-party firewall can be frustrating to use at first until it learns all your habits but it is essential especially for on-line financial transactions.
Looking over your log it seems you don't have any evidence of a third party firewall.
Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.
Remember only install ONE firewall
1) Comodo Personal Firewall (http://www.majorgeeks.com/Comodo_Personal_Firewall_d5033.html) (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor (http://www.majorgeeks.com/Online_Armor_Free_d4872.html)
3) Agnitum Outpost (http://www.majorgeeks.com/Outpost_Firewall_Free_d1056.html)
4) PC Tools Firewall Plus (http://www.majorgeeks.com/PC_Tools_Firewall_Plus_d5470.html)
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
-
Rerun of ESET
C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe probably a variant of Win32/Agent.HZHBURL trojan cleaned by deleting - quarantined
C:\Documents and Settings\Cara\Shared\01 Track 1.wma WMA/TrojanDownloader.Wimad.K trojan cleaned by deleting - quarantined
C:\Documents and Settings\Cara\Shared\06 Track 6.wma WMA/TrojanDownloader.Wimad.K trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\Search Settings\SearchSettings.dll.vir Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\Search Settings\SearchSettings.exe.vir Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1849\A0299349.dll Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1849\A0299350.exe Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1854\A0301754.exe probably a variant of Win32/Agent.HZHBURL trojan cleaned by deleting - quarantined
C:\WINDOWS\Downloaded Program Files\WebEx\424\atpdmod.dll probably a variant of Win32/Genetik trojan cleaned by deleting - quarantined
C:\WINDOWS\Downloaded Program Files\WebEx\424\webexmgr.dll probably a variant of Win32/Genetik trojan cleaned by deleting - quarantined
-
Also I check my McAfee Antivirus Plus and I am running
McAfee firewall.
Security level : Outgoing Access (Recommended)
Give all my programs outgoing-only access.
-
Sorry to jump in like this, but I just got the same virus. It's a nasty one. I can't open any program unless Windows is in safe mode. But running Malwarebytes, Superantispyware, and Avast while in Windows safe mode still does not kill the virus.
One of the first posts to this thread says to download and run one of the files: Rkill.exe, Rkill.com, Rkill.scr, Rkill.pif. However, I am not able to download these from the links. Is this still the prefered method to kill this virus and if so, are those links still good? Thanks.
-
ActionJackson
This will take some time and you really need to open your own post on this and let the experts take you through it. It is a machine by machine case. So please don't hijack this thread thanks
-
Ok. That looks good. If there are no other issues, it's time for some cleanup.
* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter
* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.
************************************
Download OTC by OldTimer (http://oldtimer.geekstogo.com/OTC.exe) and save it to your desktop.
1. Double-click OTC to run it.
2. Click the CleanUp! button.
3. Select Yes when the "Begin cleanup Process?" prompt appears.
4. If you are prompted to Reboot during the cleanup, select Yes
5. OTC should delete itself once it finishes, if not delete it yourself.
******************************
Clean out your temporary internet files and temp files.
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.
Double-click TFC.exe to run it.
Note: If you are running on Vista, right-click on the file and choose Run As Administrator
TFC will close all programs when run, so make sure you have saved all your work before you begin.
* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.
Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
*************************************
This is just included in case you don't have a third-party firewall.
Remember only install ONE firewall
1) Comodo Personal Firewall (http://www.majorgeeks.com/Comodo_Personal_Firewall_d5033.html) (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor (http://www.majorgeeks.com/Online_Armor_Free_d4872.html)
3) Agnitum Outpost (http://www.majorgeeks.com/Outpost_Firewall_Free_d1056.html)
4) PC Tools Firewall Plus (http://www.majorgeeks.com/PC_Tools_Firewall_Plus_d5470.html)
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
*********************************************
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
•Click Start Now
•Check the box next to Enable thorough system inspection.
•Click Start
•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer (http://www.bleepingcomputer.com/forums/tutorial49.html) from Spyware and Malware
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. (http://www.safer-networking.org/en/spybotsd/index.html) Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)
Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It may not be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!
-
When I ran Combofix / uninstall it started running then prompted me to turn off Antivirus which I did, it then prompted me the antivirus was still running and I continue at my own risk (btw there is only the OK option) clicked ok, it then prompted my that there is a newer version available do I want to download it. Since we were uninstalling I no. It then stopped running. Whe I tried to run the uninstall it could not find combofix.
SO I am in limbo with the combox fix uninstall. Should I reinstall and then run uninstall again?
-
Delete the Combo-Fix.exe file, C:\Combo-Fix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combo-fix.txt and C:\Combo-Fix-quarantined-files.txt
*********************************
To turn off Windows XP System Restore:
NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Restart the computer and follow the instructions in the next section to turn on System Restore.
To turn on Windows XP System Restore:
1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
5. Click Apply, and then click OK.