malware downloader agent fout every time i start [RESOLVED]

Hello David and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions! (Click the Options drop down near the upper right of the topic. Select Print this topic.)

You have quite a mixture of malware and Trojans. Let’s see what we can do.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

Killbox by Option^Explicit
CCleaner
CWShredder
cwsserviceemove.reg file
combofix.exe

Now please install CWShredder, and run it. Click Check For Update, then Fix and then OK followed by Next, let it fix everything it asks about

Please open, and update Ewido anti-spyware

• Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
  
• After the update finishes (the status bar at the bottom will display "Update successful")
  
• Please select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  
• Under "Reports"
• Select "Automatically generate report after every scan"
• Deselect "Only if threats were found"
• Close Ewido. Do not run it yet.

Next, please reboot your computer in Safe Mode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

Safe Mode

• In Safe Mode, load Ewido and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be patient.
  
• Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  
• Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (I suggest the Desktop).
  
• Please ensure you post that log in your reply.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O2 - BHO: (no name) - {5C7128CC-DAEE-474B-B4C6-A75C557A1C60} - (no file)
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.co...l/azesearch.cab
O21 - SSODL: IEFilter - {FBD23577-D296-4077-8C35-A8F9055A6F34} - C:\WINNT\system32\IEFilter.dll (file missing)
O23 - Service: Service - Unknown owner - C:\WINNT\system32\Service.exe

Now close all windows other than HiJackThis, then click Fix Checked.

Unzip cwsserviceemove.reg file to your desktop. While in safe mode, double click on it and grant it permission to add the registry items.

Reboot normally

Please install Killbox by Option^Explicit.

• Please double-click Killbox.exe to run it.
• Select Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\WINNT\system32\IEFilter.dll
C:\WINNT\system32\Service.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the system tab, and under the heading of Applications uncheck Ewido Security Suite log then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Double click combofix.exe & follow the prompts.

When it has finished, it will produce a log. Please post that log in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post back a fresh HijackThis log (from normal mode) and I will take another look.

Thanks for your help, I appreciate it.

I think I have done everything you said. and here are the log files:


---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:48:57 AM 9/7/2006

+ Scan result:



C:\Documents and Settings\administrator.TUCO\Local Settings\Temp\__delete_on_reboot__t_1_1_5_7_6_4_1_6_0_7_._d_l_l_ -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator.TUCO\Local Settings\Temp\t1157080144.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator.TUCO\Local Settings\Temp\t1157127662.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator.TUCO\Local Settings\Temp\t1157210906.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator.TUCO\Local Settings\Temp\t1157210909.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
[432] C:\DOCUME~1\ADMINI~1.TUC\LOCALS~1\Temp\t1157641607.dll -> Downloader.Agent.asl : Error during cleaning.
:mozilla.12:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.13:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.14:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.16:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.17:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.18:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.19:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.40:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.73:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.74:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.75:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.76:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.77:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.78:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.20:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.57:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.58:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.59:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.132:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.133:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.134:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator.TUCO\Cookies\[email protected][1].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.169:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup (quarantined).
:mozilla.170:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup (quarantined).
:mozilla.171:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator.TUCO\Cookies\[email protected][1].txt -> TrackingCookie.Onestat : Cleaned with backup (quarantined).
:mozilla.55:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.56:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.109:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.110:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator.TUCO\Cookies\racerx@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.101:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.103:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.104:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator.TUCO\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator.TUCO\Cookies\racerx@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.64:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.65:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.66:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.67:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.68:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.69:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.70:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.71:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.53:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.54:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.48:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.49:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.50:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.51:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.52:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator.TUCO\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).


::Report end

racerx - Thu 09/07/2006 12:12:15.40
ComboFix 06.09.07 - Running from: C:\Documents and Settings\administrator.TUCO\My Documents\My Programs\New Folder

Microsoft Windows 2000 [Version 5.00.2195]

((((((((((((((((((((((((((((((( Files Created from 2006-08-07 to 2006-09-07 ))))))))))))))))))))))))))))))))))


2006-08-30 11:08 465,176 --a------ C:\WINNT\system32\wuapi.dll
2006-08-30 11:08 41,240 --a------ C:\WINNT\system32\wups.dll
2006-08-30 11:08 194,328 --a------ C:\WINNT\system32\wuaueng1.dll
2006-08-30 11:08 18,200 --a------ C:\WINNT\system32\wups2.dll
2006-08-30 11:08 172,312 --a------ C:\WINNT\system32\wuauclt1.exe
2006-08-30 11:08 127,256 --a------ C:\WINNT\system32\wucltui.dll
2006-08-13 16:58 90,112 --a------ C:\WINNT\system32\AVASTSS.scr


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-07 12:05 -------- d-------- C:\Program Files\Yahoo!
2006-09-07 12:05 -------- d-------- C:\Program Files\CCleaner
2006-09-07 11:11 -------- d-a------ C:\Program Files\ewido anti-spyware 4.0
2006-09-07 10:45 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-05 00:47 -------- d-------- C:\Documents and Settings\administrator.TUCO\Application Data\Adobe
2006-09-04 14:10 -------- d-------- C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla
2006-09-02 00:34 -------- d-------- C:\Program Files\Sony
2006-08-31 02:22 -------- d-------- C:\Documents and Settings\administrator.TUCO\Application Data\Azureus
2006-08-31 00:44 -------- d-------- C:\Program Files\CleanUp!
2006-08-30 23:56 -------- d-------- C:\Program Files\Lavasoft
2006-08-30 23:56 -------- d-------- C:\Documents and Settings\administrator.TUCO\Application Data\Lavasoft
2006-08-30 11:34 -------- d-------- C:\Documents and Settings\administrator.TUCO\Application Data\Google
2006-08-30 11:33 -------- d-------- C:\Program Files\Google
2006-08-22 23:41 16897 --a------ C:\WINNT\system32\igfxtray.exe
2006-08-22 23:41 16897 --a------ C:\WINNT\system32\hkcmd.exe
2006-08-09 16:48 -------- d-------- C:\Program Files\SpywareBlaster
2006-08-08 12:53 635520 --a------ C:\WINNT\system32\aswBoot.exe
2006-08-05 11:25 85952 --a------ C:\WINNT\system32\drivers\aswmon.sys
2006-08-05 11:24 16352 --a------ C:\WINNT\system32\drivers\aswRdr.sys
2006-08-05 11:22 36176 --a------ C:\WINNT\system32\drivers\aswTdi.sys
2006-08-05 11:20 24304 --a------ C:\WINNT\system32\drivers\aavmker4.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINNT\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINNT\\system32\\hkcmd.exe"
"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"
"Synchronization Manager"="mobsync.exe /logon"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000001
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00002002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,b5,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"



Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\1-Click Maintenance.job
C:\WINNT\tasks\{8784BBC2-D222-40F1-ABB8-0AB731B99296}_LAPTOP_racerx.job
C:\WINNT\tasks\{BE28F1A9-97B7-4FAA-BA1F-89C68AB6A277}_LAPTOP_Administrator.job
C:\WINNT\tasks\{C0923A67-71AC-4E18-B6BF-A4885A048898}_LAPTOP_racerx.job
C:\WINNT\tasks\{D8E67FD8-7BF0-421B-B4BC-168A60A0E100}_LAPTOP_Administrator.job
C:\WINNT\tasks\{E55A6F0D-DF2D-4743-BA7E-E3B72165AAAC}_LAPTOP_racerx.job
C:\WINNT\tasks\{EF5F6ED1-115B-4814-8AE5-AE450557412A}_LAPTOP_Administrator.job

Completion time: Thu 2006-09-07 12:13:10.07
ComboFix.txt

Logfile of HijackThis v1.99.1
Scan saved at 12:14:55 PM, on 9/7/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\mqsvc.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\administrator.TUCO\My Documents\My Programs\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ne2.attbb.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1156950375864
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe


also one more question. should i get rid of
the googletoolbar and if so would you reccomend a popup blocker for me.

Thanks,
Dave

Hello again David

All looks well there, but I notice an error from Ewido. Have a look for this file and delete it if it still with you.

C:\DOCUME~1\ADMINI~1.TUC\LOCALS~1\Temp\t1157641607.dll (NB - the tilde ~ indicates further characters)

I don't think there is anything wrong with the Google Toolbar as such, there is a problem with the notifier according to Google, who say they are trying to correct it, but they don't appear to be trying too hard.

MSIE 7.0 has a Pop-up blocker as does Mozilla Firefox which is my recommendation to you. It's a lot safer than MSIE as it doesn't get targeted by malware writers so often.

How's the PC running now?

well i found the file and deleted it but it popped back up on reboot. and ewido gave me a warning again... everything else seems to be fune and my computer is running much faster, but i am still worried about that one problem

dave

Hello David

Either delete it in safe mode or use Killbox "delete on reboot" setting.

so I tried deleting the file 2 times in safe mode and 2 times with killbox and it still popps up with a edwido warning every time i reboot.

dave

Hello again Dave

Please download The Avenger by Swandog46 to your Desktop.

• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

Copy ALL THE TEXT contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\DOCUME~1\ADMINI~1.TUC\LOCALS~1\Temp\t1157641607.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger programme by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
• Upon reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy & paste the content of c:\avenger.txt into your reply along with a fresh HJT log from normal mode, by using Add Reply

when I ranavenger it said file not found. now there is a new .dll and a couple .exe files in the same location. and ewido warned me again of the downloader agent it seems to pick a new temp file t*** every time i reboot.



here is my new hijack file:

Logfile of HijackThis v1.99.1
Scan saved at 10:30:27 AM, on 9/9/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\mqsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\administrator.TUCO\My Documents\My Programs\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ne2.attbb.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe

Hello again David

I wish to see the Avenger log because it gives me codes about the file it is told to kill. Many people do not give it the correct script and then it doesn't work. The script has to start with an instruction "Files to ......" because the programme reads different scripts and can do many things. Please redo that step and post the log.

The HJT log posted is clean. If you are receiving warnings from a scanner, please indicate the file name and path wherever possible.

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Re-opened at the request of the topic starter.

The ewido came up with a new warning:

this time is was:
C:\DOCUME~1\ADMINI~1.TUC \LOCALS~1\Temp\t1158721961.dll

when i looked at that folder that plus the two previous dll files are still there


here is a copy of avenger:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\igspgsdu

*******************

Script file located at: \??\C:\Program Files\uesceofk.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Deletion of file C:\DOCUME~1\ADMINI~1.TUC \LOCALS~1\Temp\t1158720638.dll failed!
Status: 0xc000014f
Deletion of file C:\DOCUME~1\ADMINI~1.TUC \LOCALS~1\Temp\t1158720632.dll failed!
Status: 0xc000014f


Completed script processing.

*******************

Finished! Terminate.


here is a current hijack this logfile:

Logfile of HijackThis v1.99.1
Scan saved at 11:21:48 PM, on 9/19/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\mqsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\administrator.TUCO\My Documents\My Programs\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ne2.attbb.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe

Hello again David

The error code from Avenger is this:

0 0xc000014f 0x001f0003 NT_STATUS_UNRECOGNIZED_VOLUME

Let's try another method.

Please delete your temporary files.

Click on START > RUN > type in cleanmgr and hit ENTER

You will see a window asking you to choose your harddrive (most likely C: Drive)

Click it and Windows will now scan the drive and show you the results

Make sure the following are checked:Downloaded Program Files
Temporary Internet Files and
Recycle Bin
Compress Old Files (if you want more disk space)
Click OK and Disk Cleanup will delete those files for you.

Next, go to Start>Run>type in %temp% hit Enter and delete the content of all the temp folders shown (only the content, not the folder). A couple of files may be in memory and will not therefore delete, this is normal.

I don't see anything bad in your HJT log.

How's the PC running overall?

Hi there again,

Well overall the computer is doing much better. while on the internet. So, thanks for that.

it still has the same problem though with this downloader agent

here is a copy of the last ewido scan:

C:\!KillBox\__delete_on_reboot__t_1_1_5_7_6_4_9_8_9_5_._d_l_l_ -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\!KillBox\__delete_on_reboot__t_1_1_5_8_7_2_1_9_6_1_._d_l_l_ -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\!KillBox\__delete_on_reboot__t_1_1_5_8_7_2_1_9_6_1_._d_l_l_( 1) -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\!KillBox\t1157691998.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\!KillBox\t1157692422.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\!KillBox\t1157692435.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\!KillBox\t1157692886.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\!KillBox\t1157692892.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator.TUCO\Local Settings\Temp\__delete_on_reboot__t_1_1_5_8_7_5_4_9_1_0_._d_l_l_ -> Downloader.Agent.asl : Cleaned with backup (quarantined).
[1824] C:\DOCUME~1\ADMINI~1.TUC\LOCALS~1\Temp\t1158754910.dll -> Downloader.Agent.asl : Error during cleaning.
:mozilla.51:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.52:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.50:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator.TUCO\Cookies\[email protected][2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
:mozilla.47:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.48:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.49:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator.TUCO\Cookies\racerx@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator.TUCO\Cookies\[email protected][1].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.54:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.55:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.56:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator.TUCO\Cookies\racerx@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator.TUCO\Cookies\[email protected][2].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator.TUCO\Cookies\[email protected][2].txt -> TrackingCookie.Onestat : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator.TUCO\Cookies\racerx@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator.TUCO\Cookies\racerx@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.46:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator.TUCO\Cookies\racerx@yadro[1].txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined).
:mozilla.14:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.15:C:\Documents and Settings\administrator.TUCO\Application Data\Mozilla\Firefox\Profiles\m87rg62r.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator.TUCO\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).


::Report end

I deleted everything by hand to as per the last instructions. also i downloaded foxfire and have been using that but internet explorer also startsup everytime i reboot and asks if i want to make it my main browser.

Thanks for all the help so far,
Daavid