[ihatemonday]

i'm getting alot of popups, and flash ads, and i can't seem to get rid of them.

is there anything you can help me with by looking at my HJT log?



Logfile of HijackThis v1.99.1
Scan saved at 2:12:11 PM, on 3/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\U2VhbiBhbmQgUnlhbiBNY0NhYmU\command.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\umonit.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Documents and Settings\Sean\My Documents\!My Downloads\HijackThis.exe

O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: Convert for CLIE - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\hr8s05l7e.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U2VhbiBhbmQgUnlhbiBNY0NhYmU\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\eevfetc.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

[Advertisements]

Welcome to GeeksToGo ihatemonday

My name is MasterJ and I will be helping you with your problem.

Please download Look2Me-Destroyer.exe to your desktop.

• Close all windows before continuing.
• Double-click Look2Me-Destroyer.exe to run it.
• Put a check next to Run this program as a task.
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
• When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
• Once it's done scanning, click the Remove L2M button.
• You will receive a Done Scanning message, click OK.
• When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
• Your computer will then shutdown.
• Turn your computer back on.
• Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive...ib/MSWINSCK.OCX

MasterJ

[MasterJ]

Welcome to GeeksToGo ihatemonday

My name is MasterJ and I will be helping you with your problem.

Please download Look2Me-Destroyer.exe to your desktop.

• Close all windows before continuing.
• Double-click Look2Me-Destroyer.exe to run it.
• Put a check next to Run this program as a task.
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
• When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
• Once it's done scanning, click the Remove L2M button.
• You will receive a Done Scanning message, click OK.
• When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
• Your computer will then shutdown.
• Turn your computer back on.
• Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive...ib/MSWINSCK.OCX

MasterJ

[ihatemonday]

thanks for you help MasterJ.

here is the contents of the Look2Me-Destoyer.txt file:

-----------------------


Look2Me-Destroyer V1.0.10

Scanning for infected files.....
Scan started at 3/13/2006 5:10:03 PM

Infected! C:\WINDOWS\system32\dn8201loe.dll
Infected! C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0009936.dll
Infected! C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0009940.dll
Infected! C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0009944.dll
Infected! C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0009948.dll
Infected! C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0009961.dll
Infected! C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0009996.dll
Infected! C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010002.dll
Infected! C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010006.dll
Infected! C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010012.dll
Infected! C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010017.dll
Infected! C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010023.dll
Infected! C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010027.dll
Infected! C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010031.dll
Infected! C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010040.dll
Infected! C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010102.dll
Infected! C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010103.dll
Infected! C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010107.dll
Infected! C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010109.dll
Infected! C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010124.dll
Infected! C:\WINDOWS\system32\biowselc.dll
Infected! C:\WINDOWS\system32\dn8201loe.dll
Infected! C:\WINDOWS\system32\mcobjs.dll
Infected! C:\WINDOWS\system32\msdex.dll
Infected! C:\WINDOWS\system32\q2rqlc951f.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\dn8201loe.dll
C:\WINDOWS\system32\dn8201loe.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0009936.dll
C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0009936.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0009940.dll
C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0009940.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0009944.dll
C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0009944.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0009948.dll
C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0009948.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0009961.dll
C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0009961.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0009996.dll
C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0009996.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010002.dll
C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010002.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010006.dll
C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010006.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010012.dll
C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010012.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010017.dll
C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010017.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010023.dll
C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010023.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010027.dll
C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010027.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010031.dll
C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010031.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010040.dll
C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010040.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010102.dll
C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010102.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010103.dll
C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010103.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010107.dll
C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010107.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010109.dll
C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010109.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010124.dll
C:\System Volume Information\_restore{969E33D9-5FE4-435C-87E6-28116A0B3F5F}\RP43\A0010124.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\biowselc.dll
C:\WINDOWS\system32\biowselc.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dn8201loe.dll
C:\WINDOWS\system32\dn8201loe.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mcobjs.dll
C:\WINDOWS\system32\mcobjs.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\msdex.dll
C:\WINDOWS\system32\msdex.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\q2rqlc951f.dll
C:\WINDOWS\system32\q2rqlc951f.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B4A89598-9BB2-4F6A-9EBD-EC2FB0573EBF}"
HKCR\Clsid\{B4A89598-9BB2-4F6A-9EBD-EC2FB0573EBF}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{33889BC7-D7B1-400B-A017-100A90A2E3BF}"
HKCR\Clsid\{33889BC7-D7B1-400B-A017-100A90A2E3BF}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{6B68AB40-7FF4-435F-ACED-6CB88700E932}"
HKCR\Clsid\{6B68AB40-7FF4-435F-ACED-6CB88700E932}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

-----------------------


and a new HJT log:


-----------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:15:16 PM, on 3/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\U2VhbiBhbmQgUnlhbiBNY0NhYmU\command.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\umonit.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Sean\My Documents\!My Downloads\HijackThis.exe

O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: Convert for CLIE - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U2VhbiBhbmQgUnlhbiBNY0NhYmU\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\eevfetc.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Edited by ihatemonday, 13 March 2006 - 05:12 PM.

[MasterJ]

Welcome back ihatemonday

Please print these instructions for reference.

Please copy the following text in the box to Notepad. Save it as "All Files" and name it Fixservice.bat. Save it on your desktop.

@echo off
sc stop cmdService
sc delete cmdService
sc stop "Windows Overlay Components"
sc delete "Windows Overlay Components"
exit

Double click Fixservice.bat.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U2VhbiBhbmQgUnlhbiBNY0NhYmU\command.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\eevfetc.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis and reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Now right click on the Start Menu and select Explore.
Please delete these folders using Windows Explorer(if present):

C:\WINDOWS\U2VhbiBhbmQgUnlhbiBNY0NhYmU

Please delete these files using Windows Explorer(if present):

C:\WINDOWS\eevfetc.exe

After that, Reboot.

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
  • C:\WINDOWS\system32\w9seq.dll
• Click on the submit button
  
• Please post the results in your next reply along with a new hijackthis log.

MasterJ

Do you have an antivirus program on your computer?

Edited by MasterJ, 13 March 2006 - 05:35 PM.

[ihatemonday]

After i created and ran the Fixservice batch file, i scanned with HJT and the two 023 entries were no longer listed. also the following files/folders were also removed, when i went in to safe mode to delete:

C:\WINDOWS\U2VhbiBhbmQgUnlhbiBNY0NhYmU
C:\WINDOWS\eevfetc.exe

and when i went to Jotti's malware scan, the following file:

C:\WINDOWS\system32\w9seq.dll

was also gone.

so i guess that's good?


here's a new HJT log after having done all this.


Logfile of HijackThis v1.99.1
Scan saved at 5:51:13 PM, on 3/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\umonit.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Sean\My Documents\!My Downloads\HijackThis.exe

O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: Convert for CLIE - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)



---------------------

as for antivirus, i do not currently have one one installed.

Edited by ihatemonday, 13 March 2006 - 05:49 PM.

[MasterJ]

Enable show hidden files and folders:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK

Now see if you can find this file. If you do, submit it to Jotti.

C:\WINDOWS\system32\w9seq.dll

It is extremely important to have an antivirus program on your computer. There are many good free programs such as Avast, or AntiVir, but I prefer AVG.

Download one of these programs and install, then scan and then post a new hijackthis log along with the Jotti results.

MasterJ

Edited by MasterJ, 13 March 2006 - 05:58 PM.

[ihatemonday]

I already have explorer configured to show hidden files and folders, and still don't see it:



but i did download, install, and scan with AVG. it found and fixed several Trojanhorse downloaders in my cache.

here's a new log:




Logfile of HijackThis v1.99.1
Scan saved at 6:21:28 PM, on 3/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\umonit.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\AVGFRE~1\avgamsvr.exe
C:\Program Files\AVG Free\avgcc.exe
C:\Documents and Settings\Sean\My Documents\!My Downloads\HijackThis.exe

O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: Convert for CLIE - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

[MasterJ]

Go ahead and fix this entry with Hijackthis then:

O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll

Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Please download ewido security suite it is a free version of the program.

• Install ewido security suite
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
• Launch ewido, there should be an icon on your desktop, double-click it.
• The program will now open to the main screen.
• When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  
• You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
• The update will start and a progress bar will show the updates being installed.
  (the status bar at the bottom will display ("Update successful")

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Close Ewido.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Open Ewido:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido security suite.

Reboot into normal mode.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the ActiveScan report, along with the Ewido report and a new HijackThis log.

MasterJ

[ihatemonday]

sorry, all these scans are taking like 20 mins each. i'll give you an update so far.

• removed entry 018 - Filter: text/html
• ran ATF cleaner and selected all and cleared everything
• scanned with ewido. here's the log for that:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:03:24 PM, 3/13/2006
+ Report-Checksum: 76C4F363

+ Scan result:

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\F8DLSJDZ\AppWrap[1].exe -> Adware.AdURL : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.122:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.135:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.136:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.137:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.141:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.142:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.143:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.144:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.145:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.146:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.147:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.148:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.149:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.150:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.151:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.152:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.154:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.155:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.156:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.161:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.162:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.169:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.171:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.172:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.173:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.198:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.199:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.200:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.201:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.202:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.203:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.204:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.205:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.206:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.208:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.209:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.234:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.235:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.238:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.243:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.244:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.245:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.273:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.274:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.275:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.276:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.277:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.278:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.279:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.280:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.290:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.291:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.292:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.293:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.294:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.318:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.319:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.320:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.327:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Bfast : Cleaned with backup
:mozilla.331:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.332:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.352:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.378:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.382:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.383:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.384:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.393:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.395:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.408:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.409:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.410:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.411:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.420:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.421:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.425:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.459:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.479:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.480:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.481:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.482:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.487:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Ryan\Cookies\ryan@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Ryan\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Sean\My Documents\!My Downloads\backups\backup-20050827-173411-114.dll -> Adware.SafeSurfing : Cleaned with backup
C:\Documents and Settings\Sean\My Documents\!My Downloads\CoffeeCup_ImageMapper_ysbinstall_1002755_3.exe -> Downloader.INService.ja : Cleaned with backup
C:\Documents and Settings\Sean\My Documents\!My Downloads\MSN Messenger\MsgPlus-301.exe/Sponsor.exe -> Downloader.Swizzor.bt : Cleaned with backup
C:\Program Files\Common Files\Windows\mc-110-12-0000140.exe -> Dropper.Agent.aac : Cleaned with backup
C:\Program Files\Common Files\Windows\services32.exe -> Adware.Maxifiles : Cleaned with backup


::Report End



--------------------------------------------------------------------------------------


i'm currently running the panda active scan, and that's been going for awhile. it's scanned about 230,000 files so far, and has found 5 spyware, and 2 hacking tools. i'll post the results of that when it's finished.

another HJT log:




Logfile of HijackThis v1.99.1
Scan saved at 7:28:30 PM, on 3/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\umonit.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sean\My Documents\!My Downloads\HijackThis.exe

O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: Convert for CLIE - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

[ihatemonday]

ok the panda active scane finished.

log:



Incident Status Location

Adware:adware/commad Not disinfected C:\WINDOWS\SYSTEM32\atmtd.dll
Adware:adware/sqwire Not disinfected C:\WINDOWS\SYSTEM32\tsuninst.exe
Adware:adware/maxifiles Not disinfected C:\Documents and Settings\Sean\Desktop\freeprodtb.exe
Spyware:spyware/new.net Not disinfected Windows Registry
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt[]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Sean\My Documents\!My Downloads\l2mfix.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Sean\My Documents\!My Sony Clie\New Folder\l2mfix\Process.exe
Adware:Adware/Sqwire Not disinfected C:\WINDOWS\system32\tsuninst.exe
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\uninstall_nmon.vbs



this file:

...\Desktop\freeprodtb.exe

i cannot delete manually, in regular, or safe mode. i always get this:

[MasterJ]

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINDOWS\SYSTEM32\atmtd.dll
  C:\WINDOWS\SYSTEM32\tsuninst.exe
  C:\Documents and Settings\Sean\Desktop\freeprodtb.exe
  C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\yoa6lrde.default\cookies.txt[]
  C:\Documents and Settings\Sean\My Documents\!My Downloads\l2mfix.exe[Process.exe]
  C:\Documents and Settings\Sean\My Documents\!My Sony Clie\New Folder\l2mfix\Process.exe
  C:\WINDOWS\system32\tsuninst.exe
  C:\WINDOWS\uninstall_nmon.vbs
  
  
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Edited by MasterJ, 13 March 2006 - 07:46 PM.

[ihatemonday]

ok, did just that, and received no PendingFileRenameOperations prompts.


here's another HJT log for the heck of it:


Logfile of HijackThis v1.99.1
Scan saved at 8:00:28 PM, on 3/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\umonit.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Sean\My Documents\!My Downloads\HijackThis.exe

O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: Convert for CLIE - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

[MasterJ]

Did you already delete any of those files from the panda scan?

[ihatemonday]

nope, only after you told me, now i removed them with Killbox.

[MasterJ]

Please run one more scan with panda just to make sure everything is gone.