Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HotsearchBar


  • Please log in to reply

#1
johnhach

johnhach

    New Member

  • Member
  • Pip
  • 7 posts
Hello. If I open a new Explorer window, an extra window opens with a [bleep] site. Also, in every window, certain words (sex, date, etc.) are hyperlinked. I have run Adaware, Spybot, and AVG. Spybot allegedly removes HotsearchBar, but I still have the problems. Here is my HijackThis info: Thanks in advance!

Logfile of HijackThis v1.99.1
Scan saved at 12:56:52 PM, on 7/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\WINDOWS\System32\svchost.exe
C:\System Protection\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gophersearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gophersearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gophersearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.somethingawful.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: ohb - {22DFEAE8-9AD2-4FC6-9CBA-A6566CA3B6EB} - C:\WINDOWS\system32\gpstool.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Adobe Acrobat Helper - {A452DA63-4286-48EB-A838-3BA85C3049F5} - C:\WINDOWS\Acrobat.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://ppupdates.ca....er/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay10...es/MsnPUpld.cab
O16 - DPF: {D7A7442D-85A9-475F-82F9-65ED4110B4C5} (iiittt Class) - http://gpstool.globa...v30/gpstool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A6BC45C-F137-4C50-93EF-728DE6F0E01A}: NameServer = 24.221.129.5,24.221.30.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F0EA445-BE71-4D2E-9543-DCB15E64FEA0}: NameServer = 192.168.2.1
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Universal Plug and Play Device Client (UPNPClient) - Unknown owner - c:\System Volume Information\upnpclient.exe (file missing)
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi johnhach and Welcome to GeekstoGo!!

Please run these 2 Scans and Post the Results so we have a better picture of whats going on in there

Symantecs Online Scanner
http://security.syma...CVGZBZTVOGXFSTZ
Please select Virus Scan!

Download Pfind:
http://www.bleepingc...r/pfind-new.zip

Right Click the Zip Folder and Select "Extract All"
So make sure all those files remain in the same folder.

Don't use it yet!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam


Doubleclick pfind.bat
It will scan for a while, so please be patient.
Wait till the doswindow closes.


Post the contents of C:\pfind.txt in your next reply together with a new hijackthislog and the Results from Symantec
  • 0

#3
johnhach

johnhach

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hello again. The day I posted I looked through some other threads and followed directions for deleting stuff through HijackThis and I think I was successful. You're the expert, though, so I followed your directions and here are the results:

The Virus check was good except that it showed I was at risk because I did not have anti-virus software. I do have an up-to-date AVG running, though.

Here are the results from pfind:

Files found with this application may be legitimate.
Only remove files that you know are malware related.


Checking the C: folder



Checking the C:\Program Files folder



Checking the C:\WINDOWS folder



Checking the C:\WINDOWS\SYSTEM32 folder

C:\WINDOWS\SYSTEM32\devil.dll: UPX!
C:\WINDOWS\SYSTEM32\DivX.dll: PEC2
C:\WINDOWS\SYSTEM32\DivX.dll: PECompact2
C:\WINDOWS\SYSTEM32\ilu.dll: UPX!
C:\WINDOWS\SYSTEM32\ilut.dll: UPX!
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\WINDOWS\SYSTEM32\vbskpro2.ocx: UPX!


Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder

C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: error finding UPX! header
C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: =FSG!u$h
C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: UPX!


Checking the C:\Documents and Settings\All Users.WINDOWS\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\All Users.WINDOWS\Application Data folder




Checking the C:\Documents and Settings\Administrator\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\Administrator\Application Data folder




Checking the Windows folder for system and hidden files within the last 60 days


C:\WINDOWS\
bootstat.dat Thu Jul 7 2005 8:07:14p A.S.. 2,048 2.00 K

C:\WINDOWS\HELP\
windows.gid Sat Jul 2 2005 1:55:56p A..H. 10,820 10.57 K

C:\WINDOWS\INF\
oem20.inf Sat Jul 2 2005 3:33:54a ...H. 0 0.00 K

C:\WINDOWS\TASKS\
sa.dat Thu Jul 7 2005 8:04:44p A..H. 6 0.00 K

C:\WINDOWS\SYSTEM32\CONFIG\
default.log Thu Jul 7 2005 8:07:04p A..H. 8,192 8.00 K
sam.log Thu Jul 7 2005 8:07:30p A..H. 1,024 1.00 K
security.log Thu Jul 7 2005 8:07:20p A..H. 20,480 20.00 K
software.log Thu Jul 7 2005 8:07:48p A..H. 90,112 88.00 K
system.log Thu Jul 7 2005 8:07:20p A..H. 1,069,056 1.02 M

C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\
kb890046.cat Tue May 17 2005 11:23:22a ..S.. 11,845 11.57 K
kb893066.cat Wed May 25 2005 2:39:08p ..S.. 10,786 10.53 K
kb896358.cat Thu May 26 2005 7:22:40p ..S.. 15,022 14.67 K
kb896422.cat Tue May 10 2005 10:34:26a ..S.. 10,786 10.53 K
kb896428.cat Tue May 10 2005 7:52:26p ..S.. 10,786 10.53 K
kb898461.cat Tue May 17 2005 12:16:24p ..S.. 9,735 9.50 K
oem20.cat Thu May 26 2005 4:27:36a ..S.. 13,511 13.19 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\
ntuser~1.log Sat Jun 18 2005 3:43:20p A..H. 1,024 1.00 K

C:\WINDOWS\SYSTEM32\MICROS~1\PROTECT\S-1-5-18\USER\
9bca76~1 Tue Jun 7 2005 7:52:46a A.SH. 388 0.38 K
prefer~1 Tue Jun 7 2005 7:52:46a A.SH. 24 0.02 K

19 items found: 19 files, 0 directories.
Total of file sizes: 1,285,645 bytes 1.22 M



! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon REG_SZ RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz REG_SZ nwiz.exe /install
QuickTime Task REG_SZ "C:\Program Files\QuickTime\qttask.exe" -atboottime
SoundMan REG_SZ SOUNDMAN.EXE
NeroCheck REG_SZ C:\WINDOWS\system32\\NeroCheck.exe
SunJavaUpdateSched REG_SZ C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
AVG7_CC REG_SZ C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AVG7_EMC REG_SZ C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
tgcmd REG_SZ "C:\Program Files\support.com\bin\tgcmd.exe" /server
NvMediaCenter REG_SZ RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx




! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run





! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} REG_DWORD 0x1
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} REG_DWORD 0x40000021
{0DF44EAA-FF21-4412-828E-260A8728E7F1} REG_DWORD 0x20

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername REG_DWORD 0x0
legalnoticecaption REG_SZ
legalnoticetext REG_SZ
shutdownwithoutlogon REG_DWORD 0x1
undockwithoutlogon REG_DWORD 0x1


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
PostBootReminder REG_SZ {7849596a-48ea-486e-8937-a2a3009f31a9}
CDBurn REG_SZ {fbeb8a05-beee-4442-804e-409d6c4515e9}
WebCheck REG_SZ {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
SysTray REG_SZ {35CEC8A3-2BE6-11D2-8773-92E220524153}


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apitrap.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASSTE.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSTE.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divxdec.ax

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DJSMAR00.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRMINST.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncodeDivXExt.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncryptPatchVer.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fullsoft.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GBROWSER.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmarq.ocx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmm.ocx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ishscan.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ISSTE.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javai.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm_g.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\main123w.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msci_uno.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvr.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorwks.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msjava.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mso.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVOPTRF.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NeVideoFX.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPMLIC.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSWSTE.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PMSTE.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppw32hlp.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Salwrap.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcore_ebook.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFDTCTT8.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udtapi.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ums.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vb40032.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbe6.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xlmlEN.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,



! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell REG_SZ Explorer.exe



! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs REG_SZ


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
<NO NAME> REG_SZ {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
<NO NAME> REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
<NO NAME> REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
<NO NAME> REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}

Here is the new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:17:44 PM, on 7/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\System32\svchost.exe
C:\System Protection\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.somethingawful.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Adobe Acrobat Helper - {A452DA63-4286-48EB-A838-3BA85C3049F5} - C:\WINDOWS\Acrobat.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay10...es/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A6BC45C-F137-4C50-93EF-728DE6F0E01A}: NameServer = 24.221.129.5,24.221.30.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F0EA445-BE71-4D2E-9543-DCB15E64FEA0}: NameServer = 192.168.2.1
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Universal Plug and Play Device Client (UPNPClient) - Unknown owner - c:\System Volume Information\upnpclient.exe (file missing)

Thanks!
  • 0

#4
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Lets get a file Scanned and see those Results

C:\WINDOWS\SYSTEM32\vbskpro2.ocx

Have the above file scanned at the 2 sites below

http://www.virustota...h/index_en.html

http://virusscan.jotti.org/

Post back with those results!
  • 0

#5
johnhach

johnhach

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Virustotal says the file is clean.

Virusscan showed clean on all the virus checks but gave this message:

MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)

Thanks!
  • 0

#6
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,here is what I want you to do!

First,Submit the file here
http://www.bleepingc...mit-malware.php

Leave a link and out a message in there>> To CM

Right Click the Desktop and Select Compressed(zipped)Folder

Place a copy of that file in it and close it up!

Now delete the original file and empty the recycle bin!

Click Start>> Run>> Type in Services.msc and Click OK!

Scroll down the list and locate this entry

Universal Plug and Play Device Client

Right Click that entry and Select Properties>> Click Stop>> Go up and Change the StartUp type to Disabled!

Exit Services Page!


Disable System Restore
http://service1.syma...src=sec_doc_nam

Restart the PC and Renable System Restore!

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.


Restart back in Safe Mode

Disable System Restore again

Open HijackThis and put a check next to this entry

O23 - Service: Universal Plug and Play Device Client (UPNPClient) - Unknown owner - c:\System Volume Information\upnpclient.exe (file missing)

Make sure All Windows and Browsers are Closed and Click "Fix Checked"

Open up Ewido and Scan just as the link describes and be sure to Save a report!

Restart Normal,Renable System Restore

Post a fresh HijackThis Log and the results from Ewido!

Just so you know>> c:\System Volume Information= System Restore!
  • 0

#7
johnhach

johnhach

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Ok, I submitted the file. I followed all other instructions except that the entry in HijackThis you wanted me to put check next to was not there.

Here is the new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:31:13 PM, on 7/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\System Protection\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.somethingawful.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Adobe Acrobat Helper - {A452DA63-4286-48EB-A838-3BA85C3049F5} - C:\WINDOWS\Acrobat.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay10...es/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A6BC45C-F137-4C50-93EF-728DE6F0E01A}: NameServer = 24.221.129.5,24.221.30.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F0EA445-BE71-4D2E-9543-DCB15E64FEA0}: NameServer = 192.168.2.1
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Here are the results from Ewido:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:27:06 PM, 7/11/2005
+ Report-Checksum: CEC3A767

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{A452DA63-4286-48EB-A838-3BA85C3049F5} -> Backdoor.CLS : Ignored
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A452DA63-4286-48EB-A838-3BA85C3049F5} -> Backdoor.CLS : Ignored
:mozilla.9:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Serving-sys : Ignored
:mozilla.10:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Serving-sys : Ignored
:mozilla.11:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Serving-sys : Ignored
:mozilla.12:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Serving-sys : Ignored
:mozilla.13:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Centrport : Ignored
:mozilla.14:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Doubleclick : Ignored
:mozilla.19:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Atdmt : Ignored
:mozilla.44:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.45:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.46:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.47:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.48:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.50:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Mediaplex : Ignored
:mozilla.57:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.58:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.59:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.60:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.61:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.62:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.63:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.64:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.65:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.66:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.67:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.68:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.69:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.70:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.71:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.72:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.73:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.74:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.75:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.76:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.77:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.78:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.79:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.80:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.81:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.82:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.85:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Fastclick : Ignored
:mozilla.91:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Ignored
:mozilla.92:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Ignored
:mozilla.99:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.102:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Coremetrics : Ignored
:mozilla.103:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.117:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Adserver : Ignored
:mozilla.118:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Adserver : Ignored
:mozilla.119:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Adserver : Ignored
:mozilla.124:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Adserver : Ignored
:mozilla.125:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Adserver : Ignored
:mozilla.126:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Gator : Ignored
:mozilla.127:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Gator : Ignored
:mozilla.128:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Gator : Ignored
:mozilla.140:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.146:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.150:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Ru4 : Ignored
:mozilla.151:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Ru4 : Ignored
:mozilla.152:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Ru4 : Ignored
:mozilla.155:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.158:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Serving-sys : Ignored
:mozilla.159:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.160:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Trafficmp : Ignored
:mozilla.161:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Trafficmp : Ignored
:mozilla.162:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Trafficmp : Ignored
:mozilla.163:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Trafficmp : Ignored
:mozilla.164:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Trafficmp : Ignored
:mozilla.165:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Questionmarket : Ignored
:mozilla.166:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Ignored
:mozilla.167:C:\Documents and Settings\Hack\Application Data\Mozilla\Firefox\Profiles\55ucw5r8.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Ignored
C:\Documents and Settings\Hack\Cookies\hack@112.2o7[2].txt -> Spyware.Cookie.2o7 : Ignored
C:\Documents and Settings\Hack\Cookies\hack@2o7[2].txt -> Spyware.Cookie.2o7 : Ignored
C:\Documents and Settings\Hack\Cookies\hack@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Ignored
C:\Documents and Settings\Hack\Cookies\hack@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Ignored
C:\Documents and Settings\Hack\Cookies\hack@adtech[2].txt -> Spyware.Cookie.Adtech : Ignored
C:\Documents and Settings\Hack\Cookies\hack@adtrak[2].txt -> Spyware.Cookie.Adtrak : Ignored
C:\Documents and Settings\Hack\Cookies\hack@bs.serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Ignored
C:\Documents and Settings\Hack\Cookies\hack@centrport[1].txt -> Spyware.Cookie.Centrport : Ignored
C:\Documents and Settings\Hack\Cookies\hack@citi.bridgetrack[2].txt -> Spyware.Cookie.Bridgetrack : Ignored
C:\Documents and Settings\Hack\Cookies\hack@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Ignored
C:\Documents and Settings\Hack\Cookies\hack@linkbuddies[1].txt -> Spyware.Cookie.Linkbuddies : Ignored
C:\Documents and Settings\Hack\Cookies\hack@premiumnetworkrocks.valuead[2].txt -> Spyware.Cookie.Valuead : Ignored
C:\Documents and Settings\Hack\Cookies\hack@qksrv[2].txt -> Spyware.Cookie.Qksrv : Ignored
C:\Documents and Settings\Hack\Cookies\hack@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Ignored
C:\Documents and Settings\Hack\Cookies\hack@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Ignored
C:\Documents and Settings\Hack\Cookies\hack@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Ignored
C:\Documents and Settings\Hack\Cookies\hack@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Ignored
C:\Documents and Settings\Hack\Cookies\hack@web4.realtracker[2].txt -> Spyware.Cookie.Realtracker : Ignored
C:\Documents and Settings\Hack\Cookies\hack@z1.adserver[2].txt -> Spyware.Cookie.Adserver : Ignored
:mozilla.9:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Serving-sys : Ignored
:mozilla.10:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Serving-sys : Ignored
:mozilla.11:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Serving-sys : Ignored
:mozilla.12:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Serving-sys : Ignored
:mozilla.13:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Centrport : Ignored
:mozilla.14:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Doubleclick : Ignored
:mozilla.19:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Atdmt : Ignored
:mozilla.44:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.45:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.46:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.47:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.48:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.50:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Mediaplex : Ignored
:mozilla.57:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.58:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.59:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.60:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.61:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.62:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.63:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.64:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.65:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.66:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.67:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.68:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.69:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.70:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.71:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.72:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.73:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.74:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.75:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.76:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.77:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.78:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.79:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.80:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.81:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.82:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.85:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Fastclick : Ignored
:mozilla.91:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Tribalfusion : Ignored
:mozilla.92:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Tribalfusion : Ignored
:mozilla.99:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.102:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Coremetrics : Ignored
:mozilla.103:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.117:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Adserver : Ignored
:mozilla.118:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Adserver : Ignored
:mozilla.119:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Adserver : Ignored
:mozilla.124:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Adserver : Ignored
:mozilla.125:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Adserver : Ignored
:mozilla.126:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Gator : Ignored
:mozilla.127:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Gator : Ignored
:mozilla.128:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Gator : Ignored
:mozilla.140:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.146:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.150:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Ru4 : Ignored
:mozilla.151:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Ru4 : Ignored
:mozilla.152:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Ru4 : Ignored
:mozilla.155:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.158:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Serving-sys : Ignored
:mozilla.159:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.160:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Trafficmp : Ignored
:mozilla.161:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Trafficmp : Ignored
:mozilla.162:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Trafficmp : Ignored
:mozilla.163:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Trafficmp : Ignored
:mozilla.164:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Trafficmp : Ignored
:mozilla.165:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Questionmarket : Ignored
:mozilla.166:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Bridgetrack : Ignored
:mozilla.167:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Bridgetrack : Ignored


::Report End

I ignored everything - didn't know what you wanted me to do with these items.

Thanks!
  • 0

#8
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
In my Book,if Ewido identifies it as Nasty,it just has to go!

Go ahead and Run it again and let it Clean everything it finds!

Have the PC Scanned at this site as well

Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates


Post back with a fresh HijackThis log and the reports from Ewido and Panda!
  • 0

#9
johnhach

johnhach

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I went through twice with Ewido. Forgot to save the first log, here is the second one:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:18:06 PM, 7/12/2005
+ Report-Checksum: 37CBD217

+ Scan result:

C:\Documents and Settings\Hack\Cookies\hack@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Hack\Cookies\hack@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Hack\Cookies\hack@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Hack\Cookies\hack@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.9:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Serving-sys : Error during cleaning
:mozilla.10:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Serving-sys : Error during cleaning
:mozilla.11:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Serving-sys : Error during cleaning
:mozilla.12:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Serving-sys : Error during cleaning
:mozilla.13:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Centrport : Error during cleaning
:mozilla.14:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Doubleclick : Error during cleaning
:mozilla.19:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Atdmt : Error during cleaning
:mozilla.44:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Hitbox : Error during cleaning
:mozilla.45:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Hitbox : Error during cleaning
:mozilla.46:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Hitbox : Error during cleaning
:mozilla.47:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Hitbox : Error during cleaning
:mozilla.48:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Hitbox : Error during cleaning
:mozilla.50:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Mediaplex : Error during cleaning
:mozilla.57:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Error during cleaning
:mozilla.58:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Error during cleaning
:mozilla.59:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Error during cleaning
:mozilla.60:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Error during cleaning
:mozilla.61:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Error during cleaning
:mozilla.62:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Error during cleaning
:mozilla.63:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Error during cleaning
:mozilla.64:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Error during cleaning
:mozilla.65:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Error during cleaning
:mozilla.66:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Error during cleaning
:mozilla.67:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Error during cleaning
:mozilla.68:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Error during cleaning
:mozilla.69:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Error during cleaning
:mozilla.70:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Error during cleaning
:mozilla.71:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Error during cleaning
:mozilla.72:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Error during cleaning
:mozilla.73:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Error during cleaning
:mozilla.74:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Error during cleaning
:mozilla.75:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Error during cleaning
:mozilla.76:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Error during cleaning
:mozilla.77:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Error during cleaning
:mozilla.78:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Error during cleaning
:mozilla.79:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Error during cleaning
:mozilla.80:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Error during cleaning
:mozilla.81:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Error during cleaning
:mozilla.82:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Advertising : Error during cleaning
:mozilla.85:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Fastclick : Error during cleaning
:mozilla.91:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Tribalfusion : Error during cleaning
:mozilla.92:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Tribalfusion : Error during cleaning
:mozilla.99:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Hitbox : Error during cleaning
:mozilla.102:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Coremetrics : Error during cleaning
:mozilla.103:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Hitbox : Error during cleaning
:mozilla.117:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Adserver : Error during cleaning
:mozilla.118:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Adserver : Error during cleaning
:mozilla.119:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Adserver : Error during cleaning
:mozilla.124:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Adserver : Error during cleaning
:mozilla.125:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Adserver : Error during cleaning
:mozilla.126:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Gator : Error during cleaning
:mozilla.127:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Gator : Error during cleaning
:mozilla.128:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Gator : Error during cleaning
:mozilla.140:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Hitbox : Error during cleaning
:mozilla.146:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Hitbox : Error during cleaning
:mozilla.150:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Ru4 : Error during cleaning
:mozilla.151:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Ru4 : Error during cleaning
:mozilla.152:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Ru4 : Error during cleaning
:mozilla.155:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Hitbox : Error during cleaning
:mozilla.158:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Serving-sys : Error during cleaning
:mozilla.159:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.2o7 : Error during cleaning
:mozilla.160:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Trafficmp : Error during cleaning
:mozilla.161:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Trafficmp : Error during cleaning
:mozilla.162:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Trafficmp : Error during cleaning
:mozilla.163:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Trafficmp : Error during cleaning
:mozilla.164:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Trafficmp : Error during cleaning
:mozilla.165:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Questionmarket : Error during cleaning
:mozilla.166:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Bridgetrack : Error during cleaning
:mozilla.167:C:\Program Files\support.com\backup\co\cookies.txt\18833_5b5c97832_/cookies.txt -> Spyware.Cookie.Bridgetrack : Error during cleaning


::Report End

Here is the Panda report:

Incident Status Location

Adware:Adware/CWS No disinfected C:\Documents and Settings\Hack\Favorites\Health
Here is the latest HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:19:09 PM, on 7/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\System Protection\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.somethingawful.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay10...es/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A6BC45C-F137-4C50-93EF-728DE6F0E01A}: NameServer = 24.221.129.5,24.221.30.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F0EA445-BE71-4D2E-9543-DCB15E64FEA0}: NameServer = 192.168.2.1
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Thanks!
  • 0

#10
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Looks much better now!

Locate and Delete

C:\Documents and Settings\Hack\Favorites\Health<< Folder

Have HijackThis Fix these

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab


Lets add a bit of browsing security to the PC

SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!


Metallica has a excellent write up on Spyware and Steps to Prevention
http://metallica.geekstogo.com/

I highly recommend looking through that Page

If you havent allready,Disable System Restore
http://service1.syma...src=sec_doc_nam


Post back and let me know how things are running now?
  • 0

#11
johnhach

johnhach

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Ok, I've done everything you instructed. There were some other suspicious looking folders with that 'Health' one (gambling, adult, etc.) so I deleted them too. I've got SpywareBlaster and Spywareguard now and I went through the Explorer security settings and ran the vulnerability test. Everything seems to be ok. What do you think?
  • 0

#12
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Sounds Peachy to me! :tazz:


Go ahead and Renable System Restore,if the Slider Bar below it lights up,move it to about the Halfway Position!

Restore Windows to Hide Files and Folders again and Reconfigure Msconfig to the way you like the PC to start up!


Other than that,you are good to go!! ;)
  • 0

#13
johnhach

johnhach

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thank you very much! I had no idea how far malware and spyware gets its roots into your system...
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP