Help with spyware and hijack this logs

judas · #1 (**permalink**) 25-03-2006, 02:39 PM

Hello. I have recently picked up a whole bunch of viruses or spyware. To be honest I dont really know which is which. Here are the 4 things that I have tried to delete but it says access is denied. These are also running in my take manager.

1. ms0509283-3207 This is labeled as an app. Its other name is called gogo5x

2. errorhandler.exe This is also listed as an app.

3. cinfo.exe This is also listed as an app.

4. 0COD130E160E1.exe

It wont let me delete these things. I'm pretty sure this things are viruses or spyware. Here is a hijack this log i just did. Any help with these problems would be appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 8:27:57 AM, on 3/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\ms0509283-3207.exe
C:\WINDOWS\errorhandler.exe
C:\DOCUME~1\Matt\LOCALS~1\Temp\cinfo.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\0C0D130E160E1.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WINPAT~1.EXE
C:\PROGRA~1\MESSEN~1\Msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Matt\LOCALS~1\Temp\Rar$EX00.968\Hijack This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com...r/fix_homepage
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\mquyb.exe
F2 - REG:system.ini: UserInit=userinit.exe,wlcclpl.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BMG3.LongTooth - {8110581C-FEA4-47AC-ADBC-DE958DD0F354} - C:\WINDOWS\system32\{8110581C-FEA4-47AC-ADBC-DE958DD0F354}.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic 6\delay.exe
O4 - HKLM\..\Run: [ms0509283-3207] C:\WINDOWS\ms0509283-3207.exe
O4 - HKLM\..\Run: [uyilbi] C:\WINDOWS\system32\vheubj.exe reg_run
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [expload.exe] C:\WINDOWS\system32\expload.exe
O4 - HKLM\..\Run: [F4F5FBF6FEF6FEF] 0C0D130E160E1.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [rupnc] C:\WINDOWS\system32\vheubj.exe reg_run
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - https://www-secure.symantec.com/tech...rl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - https://www-secure.symantec.com/tech...rl/tgctlsr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {D3A7982E-915D-4589-8ECE-249F70D0C941} (Launch Control) - http://aaotracker.4players.de/LaunchGame.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Neal · #2 (**permalink**) 26-03-2006, 01:02 AM

Welcome to DAL,

Please download this file to your desktop - http://www.mvps.org/winhelp2002/DelDomains.inf

Right click on the file you downloaded and select install. This resets the trusted and restricted zones to defaults.

Note: if you have immunized with Spybot this takes those off. You will have to re-immunize with Spybot. If you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both of those afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.

Reboot and now let's do some scans and see what we can flush out of the bushes.

Please download, install, and update the NEW free version of Ewido trojan scanner:
[*]When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
[*]When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
[*]From the main ewido screen, click on update in the left menu, then click the Start update button.
[*]After the update finishes (the status bar at the bottom will display "Update successful")
[*]Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
[*]If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
[*]When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Post the log Ewido makes back here please.

Then...

www.pandasoftware.com/activescan/

Internet Explorer Required
Please run this online virus scan: ActiveScan

* Once you are on the Panda site click the Scan your PC button
* A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send(*NOTE it's perfectly safe to do so..You will NOT be spammed from this)
- Select either Home User or Company
* Click the big Scan Now button
* If/when you get a notice that Panda wants to install an ActiveX component allow it
* It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
* When download is complete, click on Local Disks to start the scan
* When the scan completes, if anything is detected, click the See Report button, then Save Report and save it to a convenient location like your desktop and post it back here please and a new hijackthis log as well. Thanks.

I need the log from Ewido
I need the log from Panda
I need a new hijackthis log

Thanks.

judas · #3 (**permalink**) 26-03-2006, 09:46 PM

Thanks for the help Neal. Here are the log files for the 3 things you told me to get. I did the scans in the exact order that you told me to do them: ewido, activescan, hijack this.

On a side note the active scan found many things but I wasnt able to correct any of them.

1. Ewido

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:51:10 PM, 3/26/2006
+ Report-Checksum: 55BD48BF

+ Scan result:

HKLM\SOFTWARE\Classes\Interface\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-606747145-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{00000000-0000-0000-0000-000000000010} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-606747145-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{6001CDF7-6F45-471B-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup
[2780] C:\WINDOWS\system32\0C0D130E160E1.exe -> Trojan.VB.aft : Cleaned with backup
[1460] C:\WINDOWS\system32\{8110581C-FEA4-47AC-ADBC-DE958DD0F354}.dll -> Trojan.VB.aft : Cleaned with backup
[3268] C:\WINDOWS\system32\{8110581C-FEA4-47AC-ADBC-DE958DD0F354}.dll -> Trojan.VB.aft : Error during cleaning
C:\comscore.exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@banner.paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@counter15.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@counter7.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@cz3.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@cz4.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@cz5.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@cz6.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@cz7.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@cz8.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@ivwbox[1].txt -> TrackingCookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@media.fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@paycounter[1].txt -> TrackingCookie.Paycounter : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@servedby.advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@twci.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@vip.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@vip2.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\Matt\Local Settings\Temp\F8CDC.tmp/slk8x2peu.exe -> Adware.Suggestor : Cleaned with backup
C:\Documents and Settings\Matt\Local Settings\Temp\F8CDC.tmp/faotvpap7.exe -> Trojan.Runner.h : Cleaned with backup
C:\WINDOWS\CheckS02.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\system32\0C0D130E160E1.exe -> Trojan.VB.aft : Cleaned with backup
C:\WINDOWS\system32\2.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\system32\expload.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\system32\winspy.exe -> Downloader.Small.ckq : Cleaned with backup
C:\WINDOWS\system32\wlcclpl.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINDOWS\system32\{8110581C-FEA4-47AC-ADBC-DE958DD0F354}.dll -> Trojan.VB.aft : Cleaned with backup
C:\WINDOWS\Аdobe\explorer.exe -> Downloader.PurityScan.w : Cleaned with backup
G:\Documents and Settings\Matt\Cookies\matt@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
G:\Documents and Settings\Matt\Cookies\matt@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
G:\Documents and Settings\Matt\Cookies\matt@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
G:\Documents and Settings\Matt\Cookies\matt@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
G:\Documents and Settings\Matt\Cookies\matt@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
G:\Documents and Settings\Matt\Cookies\matt@com[2].txt -> TrackingCookie.Com : Cleaned with backup
G:\Documents and Settings\Matt\Cookies\matt@cz3.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
G:\Documents and Settings\Matt\Cookies\matt@e-2dj6wjlyokcpscp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
G:\Documents and Settings\Matt\Cookies\matt@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
G:\Documents and Settings\Matt\Cookies\matt@ivwbox[1].txt -> TrackingCookie.Ivwbox : Cleaned with backup
G:\Documents and Settings\Matt\Cookies\matt@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
G:\Documents and Settings\Matt\Cookies\matt@web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup
G:\Documents and Settings\Matt\Cookies\matt@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
G:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream.a : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{18700A0A-6BA4-4B8F-BE0D-0DC8F4282BFC}\{35931F7B-305F-4E72-AA6C-CDDB5554CAFA}.txt/{35931F7B-305F-4E72-AA6C-CDDB5554CAFA}.txt -> TrackingCookie.Hitbox : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{18700A0A-6BA4-4B8F-BE0D-0DC8F4282BFC}\{43894F90-D070-4FE4-AFC1-450AA43C8223}.txt/{43894F90-D070-4FE4-AFC1-450AA43C8223}.txt -> TrackingCookie.Hitbox : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{18700A0A-6BA4-4B8F-BE0D-0DC8F4282BFC}\{BAE243D6-3117-4A59-9D5B-B94DDE38A327}.txt/{BAE243D6-3117-4A59-9D5B-B94DDE38A327}.txt -> TrackingCookie.2o7 : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{025ACA8B-BAAC-4657-A347-6120374A686A}.txt/{025ACA8B-BAAC-4657-A347-6120374A686A}.txt -> TrackingCookie.2o7 : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{0567EDCE-761E-4ABF-9CC3-A8AD74557FA4}.txt/{0567EDCE-761E-4ABF-9CC3-A8AD74557FA4}.txt -> TrackingCookie.Statcounter : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{199DA03E-E1AA-453F-8AC6-3211E6E4CAC1}.txt/{199DA03E-E1AA-453F-8AC6-3211E6E4CAC1}.txt -> TrackingCookie.Clickzs : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{22506D93-3B03-41EE-B0A0-6CCC3187C7B4}.txt/{22506D93-3B03-41EE-B0A0-6CCC3187C7B4}.txt -> TrackingCookie.Mediaplex : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{22652D2F-94EC-4AD1-BC34-2260139FA7AE}.txt/{22652D2F-94EC-4AD1-BC34-2260139FA7AE}.txt -> TrackingCookie.Clickzs : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{2D9FBA4E-6D6E-4D60-AD34-B9A9E80DABD7}.txt/{2D9FBA4E-6D6E-4D60-AD34-B9A9E80DABD7}.txt -> TrackingCookie.Zedo : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{2F3D423F-5584-40E8-907C-20927D66DC4A}.txt/{2F3D423F-5584-40E8-907C-20927D66DC4A}.txt -> TrackingCookie.Euroclick : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{3971836A-D4D0-4472-8203-83EB5509258F}.txt/{3971836A-D4D0-4472-8203-83EB5509258F}.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{42888134-4F7C-4514-81CA-90F6A53A75C8}.txt/{42888134-4F7C-4514-81CA-90F6A53A75C8}.txt -> TrackingCookie.2o7 : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{43192A3D-1BBC-4667-8113-C7B400F961B7}.txt/{43192A3D-1BBC-4667-8113-C7B400F961B7}.txt -> TrackingCookie.Centrport : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{450316E5-18AF-49E0-B49B-ADF7595E3C5C}.txt/{450316E5-18AF-49E0-B49B-ADF7595E3C5C}.txt -> TrackingCookie.Sexcounter : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{46F8B0BA-966F-4DF0-B0F7-5B91CA13ABD1}.txt/{46F8B0BA-966F-4DF0-B0F7-5B91CA13ABD1}.txt -> TrackingCookie.Adrevolver : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{4C609FD4-F287-4695-B550-171050FE2DDE}.txt/{4C609FD4-F287-4695-B550-171050FE2DDE}.txt -> TrackingCookie.Adserver : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{5068D912-5BA6-4A8C-BFC2-8C481E52F2EE}.txt/{5068D912-5BA6-4A8C-BFC2-8C481E52F2EE}.txt -> TrackingCookie.Hitbox : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{52DE41BC-9B4A-4986-8975-77BB55AD8C2C}.txt/{52DE41BC-9B4A-4986-8975-77BB55AD8C2C}.txt -> TrackingCookie.Hitbox : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{54AB72AF-3498-428A-A5E1-FD89A54E73FB}.txt/{54AB72AF-3498-428A-A5E1-FD89A54E73FB}.txt -> TrackingCookie.Burstnet : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{5680928F-1BCB-4ABC-99F7-C5134AF67A0A}.txt/{5680928F-1BCB-4ABC-99F7-C5134AF67A0A}.txt -> TrackingCookie.Masterstats : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{570B4620-7399-44EB-9F2A-EB43BCDBA51A}.txt/{570B4620-7399-44EB-9F2A-EB43BCDBA51A}.txt -> TrackingCookie.Hitbox : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{59E97C73-AE70-46C9-8DAB-7958AAE505D1}.txt/{59E97C73-AE70-46C9-8DAB-7958AAE505D1}.txt -> TrackingCookie.Yadro : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{5CB61EF1-2DDD-492C-9280-2655FE8A44F8}.txt/{5CB61EF1-2DDD-492C-9280-2655FE8A44F8}.txt -> TrackingCookie.Hitbox : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{5DF5DB72-3D1C-4BD5-9D11-CE71857C100C}.txt/{5DF5DB72-3D1C-4BD5-9D11-CE71857C100C}.txt -> TrackingCookie.Advertising : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{614C0314-A0AD-437D-A3FB-2E73D96F3EB8}.txt/{614C0314-A0AD-437D-A3FB-2E73D96F3EB8}.txt -> TrackingCookie.Adbrite : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{61A48772-A251-4B2D-90B0-6D53CC89A7AE}.txt/{61A48772-A251-4B2D-90B0-6D53CC89A7AE}.txt -> TrackingCookie.Spylog : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{62DEB7BE-AC88-4574-A079-F40836F7A9E8}.txt/{62DEB7BE-AC88-4574-A079-F40836F7A9E8}.txt -> TrackingCookie.Sextracker : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{6EB22A05-6E7C-438C-BAC7-38A3F6958208}.txt/{6EB22A05-6E7C-438C-BAC7-38A3F6958208}.txt -> TrackingCookie.Valueclick : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{715A0539-05F9-4B0F-8786-99D6D0090579}.txt/{715A0539-05F9-4B0F-8786-99D6D0090579}.txt -> TrackingCookie.Overture : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{71601397-2499-440A-93BD-D9B6B8A4FDEE}.txt/{71601397-2499-440A-93BD-D9B6B8A4FDEE}.txt -> TrackingCookie.Questionmarket : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{71EF317F-68A4-49BD-9126-934FABD148CC}.txt/{71EF317F-68A4-49BD-9126-934FABD148CC}.txt -> TrackingCookie.Overture : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{829887B9-5747-431A-B232-CD7FE348488A}.txt/{829887B9-5747-431A-B232-CD7FE348488A}.txt -> TrackingCookie.Trafficmp : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{8C8EF0E4-793C-4C0A-B2FC-BF56AA6979D3}.txt/{8C8EF0E4-793C-4C0A-B2FC-BF56AA6979D3}.txt -> TrackingCookie.Hitbox : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{8CB8B303-20FD-4A5F-88BC-5ECF56E9B483}.txt/{8CB8B303-20FD-4A5F-88BC-5ECF56E9B483}.txt -> TrackingCookie.Hitbox : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{98C31263-78CB-4146-9120-5F761C95EABF}.txt/{98C31263-78CB-4146-9120-5F761C95EABF}.txt -> TrackingCookie.Tacoda : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{9B8517BD-BE15-41CD-A5B2-FD5354D085CD}.txt/{9B8517BD-BE15-41CD-A5B2-FD5354D085CD}.txt -> TrackingCookie.2o7 : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{AC0C91B3-22A1-4CEE-B5DE-21ED97FBAD3C}.txt/{AC0C91B3-22A1-4CEE-B5DE-21ED97FBAD3C}.txt -> TrackingCookie.Falkag : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{ACD59AAF-93F8-4F3C-A21B-CE793FC66286}.txt/{ACD59AAF-93F8-4F3C-A21B-CE793FC66286}.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{AF7FE2BB-7179-4B52-B7B7-A6F84AEAFD00}.txt/{AF7FE2BB-7179-4B52-B7B7-A6F84AEAFD00}.txt -> TrackingCookie.Casalemedia : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{AFEA10E7-3C9C-4863-B364-D95A208BCAAE}.txt/{AFEA10E7-3C9C-4863-B364-D95A208BCAAE}.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{B7B779E4-878A-4437-92FC-91B43DFE70C3}.txt/{B7B779E4-878A-4437-92FC-91B43DFE70C3}.txt -> TrackingCookie.Ivwbox : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{BB6416DA-0D08-408C-A7ED-F2700EE6874E}.txt/{BB6416DA-0D08-408C-A7ED-F2700EE6874E}.txt -> TrackingCookie.Sextracker : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{C32E69B0-3A4F-4A3A-982C-28D069E2D181}.txt/{C32E69B0-3A4F-4A3A-982C-28D069E2D181}.txt -> TrackingCookie.Adtech : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{C877D4C1-7310-467A-9F5B-0734A4B51BEB}.txt/{C877D4C1-7310-467A-9F5B-0734A4B51BEB}.txt -> TrackingCookie.Doubleclick : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{C9D9280A-444D-4FF3-95FF-812DFD5E36CB}.txt/{C9D9280A-444D-4FF3-95FF-812DFD5E36CB}.txt -> TrackingCookie.Starware : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{CC421104-1AEF-4E56-ABA2-428FA1B5D13C}.txt/{CC421104-1AEF-4E56-ABA2-428FA1B5D13C}.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{D0513F83-0DDD-4510-8EBA-C584CC545148}.txt/{D0513F83-0DDD-4510-8EBA-C584CC545148}.txt -> TrackingCookie.Paycounter : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{D3306F05-2EDB-40A2-BFEB-B04370BF0346}.txt/{D3306F05-2EDB-40A2-BFEB-B04370BF0346}.txt -> TrackingCookie.Com : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{D7392CE2-3FA7-4A67-A913-61FAE625552C}.txt/{D7392CE2-3FA7-4A67-A913-61FAE625552C}.txt -> TrackingCookie.Fastclick : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{D7814F6E-7D1B-4FF5-86A9-5461AB416A61}.txt/{D7814F6E-7D1B-4FF5-86A9-5461AB416A61}.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{DDDCFA55-B8D7-402D-843D-F7FB52CDD52A}.txt/{DDDCFA55-B8D7-402D-843D-F7FB52CDD52A}.txt -> TrackingCookie.2o7 : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{DED8BBB1-EAEB-4BD8-9978-37C5E13D9B7C}.txt/{DED8BBB1-EAEB-4BD8-9978-37C5E13D9B7C}.txt -> TrackingCookie.Sexlist : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{DF242B00-05B3-4495-8BE4-06ABC4E67E5C}.txt/{DF242B00-05B3-4495-8BE4-06ABC4E67E5C}.txt -> TrackingCookie.Pointroll : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{EB1A68C6-F864-4007-A20B-7838FC914FB4}.txt/{EB1A68C6-F864-4007-A20B-7838FC914FB4}.txt -> TrackingCookie.Addynamix : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{EB221C46-2A02-4C49-8525-C458B5AE401C}.txt/{EB221C46-2A02-4C49-8525-C458B5AE401C}.txt -> TrackingCookie.Serving-sys : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{EB53CF3A-C2F0-4059-89DB-FF2EB319E9F1}.txt/{EB53CF3A-C2F0-4059-89DB-FF2EB319E9F1}.txt -> TrackingCookie.Advertising : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{EB8B6B70-A887-4AAC-8686-7AD6D6604A0C}.txt/{EB8B6B70-A887-4AAC-8686-7AD6D6604A0C}.txt -> TrackingCookie.Sextracker : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{EC13DFFB-3347-4A9E-90DA-DA0569767306}.txt/{EC13DFFB-3347-4A9E-90DA-DA0569767306}.txt -> TrackingCookie.Hitbox : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{F2A73E7B-EF08-4244-810C-34D00CCB4AF0}.txt/{F2A73E7B-EF08-4244-810C-34D00CCB4AF0}.txt -> TrackingCookie.Sextracker : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{FA18EDEB-F0A1-47A6-BF4A-BFCDBB960AF7}.txt/{FA18EDEB-F0A1-47A6-BF4A-BFCDBB960AF7}.txt -> TrackingCookie.Atdmt : Cleaned with backup
G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{FF9747EB-0B37-47AA-A090-06DD9BD0A1D8}.txt/{FF9747EB-0B37-47AA-A090-06DD9BD0A1D8}.txt -> TrackingCookie.Ru4 : Cleaned with backup

::Report End

2. Activescan

Incident Status Location

Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Matt\Cookies\matt@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Matt\Cookies\matt@888[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Matt\Cookies\matt@ad.sensismediasmart.com[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Matt\Cookies\matt@adopt.hbmediapro[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Matt\Cookies\matt@azjmp[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Matt\Cookies\matt@belnk[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Matt\Cookies\matt@cassava[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Matt\Cookies\matt@ccbill[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Matt\Cookies\matt@ct.360i[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Matt\Cookies\matt@dist.belnk[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Matt\Cookies\matt@gamearena.com[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Matt\Cookies\matt@go[2].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Matt\Cookies\matt@kinghost[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Matt\Cookies\matt@maxserving[2].txt
Spyware:Cookie/Peel Not disinfected C:\Documents and Settings\Matt\Cookies\matt@peel[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Matt\Cookies\matt@realmedia[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Matt\Cookies\matt@toplist[1].txt
Adware:Adware/Alexa-Toolbar Not disinfected C:\Documents and Settings\Matt\Local Settings\Temp\CampusIMFeb.exe
Adware:Adware/PurityScan Not disinfected C:\Veracruz.exe
Virus:Trj/sosmyn.A Not disinfected C:\WINDOWS\errorhandler.exe
Adware:adware/ieplugin Not disinfected C:\WINDOWS\kwv2.dat
Adware:Adware/DigInk Not disinfected C:\WINDOWS\pf78bb.exe
Adware:Adware/Getup Not disinfected C:\WINDOWS\system32\__delete_on_reboot__0C0D130E16 0E1.exe
Spyware:Cookie/Atwola Not disinfected G:\Documents and Settings\Matt\Cookies\matt@atwola[1].txt
Spyware:Cookie/go Not disinfected G:\Documents and Settings\Matt\Cookies\matt@go[1].txt
Spyware:Cookie/go Not disinfected G:\Documents and Settings\Matt\Cookies\matt@go[2].txt
Spyware:Cookie/Searchportal Not disinfected G:\Documents and Settings\Matt\Cookies\matt@searchportal.informatio n[1].txt
Spyware:Cookie/Media-motor Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{15EF571A-54D6-4EC3-A032-0EA83CC96B54}.txt[{15EF571A-54D6-4EC3-A032-0EA83CC96B54}.txt]
Spyware:Cookie/go Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{19439991-5351-40A8-BF41-39F7E76D7D8B}.txt[{19439991-5351-40A8-BF41-39F7E76D7D8B}.txt]
Spyware:Cookie/Peel Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{398647DF-2886-4D1E-B591-5E76F77AB67A}.txt[{398647DF-2886-4D1E-B591-5E76F77AB67A}.txt]
Spyware:Cookie/RealMedia Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{3B08FE9D-71CD-4D99-8062-D825DF1B88B9}.txt[{3B08FE9D-71CD-4D99-8062-D825DF1B88B9}.txt]
Spyware:Cookie/go Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{415BE379-9105-41C9-9F5D-79CB80974C87}.txt[{415BE379-9105-41C9-9F5D-79CB80974C87}.txt]
Spyware:Cookie/Belnk Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{41C69E4E-E3AB-49D3-9B68-3996088BFD56}.txt[{41C69E4E-E3AB-49D3-9B68-3996088BFD56}.txt]
Spyware:Cookie/go Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{61EF5AE1-84AF-4D14-83CD-DDDFF17A2B1D}.txt[{61EF5AE1-84AF-4D14-83CD-DDDFF17A2B1D}.txt]
Spyware:Cookie/Belnk Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{636ED8B9-6D69-4005-B342-6F261B257519}.txt[{636ED8B9-6D69-4005-B342-6F261B257519}.txt]
Spyware:Cookie/Atwola Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{833A48A1-D962-4FE6-B4FD-08D64AC2DA0B}.txt[{833A48A1-D962-4FE6-B4FD-08D64AC2DA0B}.txt]
Spyware:Cookie/LinkExchange Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{B4C7D032-57B8-401C-9032-EA61CCE739F2}.txt[{B4C7D032-57B8-401C-9032-EA61CCE739F2}.txt]
Spyware:Cookie/Bfast Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{BCA421E4-2EAE-47F8-82B7-8AECAA6AD2EE}.txt[{BCA421E4-2EAE-47F8-82B7-8AECAA6AD2EE}.txt]
Spyware:Cookie/Searchportal Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{C19F69D9-61FD-461C-A33A-E7FF6301B224}.txt[{C19F69D9-61FD-461C-A33A-E7FF6301B224}.txt]
Spyware:Cookie/Azjmp Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{DC3B71EF-A2C1-4660-A614-57D433007C3B}.txt[{DC3B71EF-A2C1-4660-A614-57D433007C3B}.txt]
Spyware:Cookie/Maxserving Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{E78FBADE-1BB7-4EFB-B0E1-18B2635177DD}.txt[{E78FBADE-1BB7-4EFB-B0E1-18B2635177DD}.txt]
Spyware:Cookie/Screensavers Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{E951E2D8-4D2C-4625-B257-629C1C9A2CEA}.txt[{E951E2D8-4D2C-4625-B257-629C1C9A2CEA}.txt]
Spyware:Cookie/Adrevolver Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{F6E754D5-619C-44AC-93EA-1DD0B603B09C}.txt[{F6E754D5-619C-44AC-93EA-1DD0B603B09C}.txt]
Dialer

ialer.B Not disinfected G:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
Spyware:Spyware/BetterInet Not disinfected G:\WINDOWS\inf\mmaker2.inf
3. hijack this

Logfile of HijackThis v1.99.1
Scan saved at 3:39:55 PM, on 3/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\ms0509283-3207.exe
C:\WINDOWS\errorhandler.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\DOCUME~1\Matt\LOCALS~1\Temp\cinfo.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\PROGRA~1\MESSEN~1\Msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Matt\LOCALS~1\Temp\Rar$EX00.422\Hijack This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit.exe,wlcclpl.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BMG3.LongTooth - {8110581C-FEA4-47AC-ADBC-DE958DD0F354} - C:\WINDOWS\system32\{8110581C-FEA4-47AC-ADBC-DE958DD0F354}.dll (file missing)
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic 6\delay.exe
O4 - HKLM\..\Run: [ms0509283-3207] C:\WINDOWS\ms0509283-3207.exe
O4 - HKLM\..\Run: [uyilbi] C:\WINDOWS\system32\vheubj.exe reg_run
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [rupnc] C:\WINDOWS\system32\vheubj.exe reg_run
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - https://www-secure.symantec.com/tech...rl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - https://www-secure.symantec.com/tech...rl/tgctlsr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {D3A7982E-915D-4589-8ECE-249F70D0C941} (Launch Control) - http://aaotracker.4players.de/LaunchGame.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Neal · #4 (**permalink**) 26-03-2006, 10:43 PM

Hi,

Print these instructions out.

Don't run the tool just yet, we will from safe mode in a bit
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
=============================================
If you use Firefox Browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

=============================================
If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

=============================================

Go here to learn how to show hidden files/folders:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5

Run hijackthis and click on scan button and put checks next to these items:

0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit.exe,wlcclpl.exe

O2 - BHO: BMG3.LongTooth - {8110581C-FEA4-47AC-ADBC-DE958DD0F354} - C:\WINDOWS\system32\{8110581C-FEA4-47AC-ADBC-DE958DD0F354}.dll

O4 - HKLM\..\Run: [ms0509283-3207] C:\WINDOWS\ms0509283-3207.exe
O4 - HKLM\..\Run: [uyilbi] C:\WINDOWS\system32\vheubj.exe reg_run
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [expload.exe] C:\WINDOWS\system32\expload.exe
O4 - HKLM\..\Run: [F4F5FBF6FEF6FEF] 0C0D130E160E1.exe
O4 - HKCU\..\Run: [rupnc] C:\WINDOWS\system32\vheubj.exe reg_run

O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)

O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab

Again make sure all browser windows are closed and click FIX

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Hunt for and delete if present:

wlcclpl.exe
C:\WINDOWS\ms0509283-3207.exe < file
C:\WINDOWS\system32\vheubj.exe < file
C:\WINDOWS\errorhandler.exe < file
C:\WINDOWS\system32\expload.exe < file
0C0D130E160E1.exe < file

Now run ATF cleaner from safe mode following instructions previously stated

Reboot normal mode and give me another Panda scan log please.

judas · #5 (**permalink**) 27-03-2006, 04:46 PM

Alright I did everything you said in the last post and here is the new panda active scan log:

Incident Status Location

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Matt\Cookies\matt@atdmt[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Matt\Cookies\matt@doubleclick[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Matt\Cookies\matt@go[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Matt\Cookies\matt@hitbox[2].txt
Adware:adware/ieplugin Not disinfected C:\WINDOWS\kwv2.dat
Adware:Adware/DigInk Not disinfected C:\WINDOWS\pf78bb.exe
Spyware:Cookie/Atwola Not disinfected G:\Documents and Settings\Matt\Cookies\matt@atwola[1].txt
Spyware:Cookie/go Not disinfected G:\Documents and Settings\Matt\Cookies\matt@go[1].txt
Spyware:Cookie/go Not disinfected G:\Documents and Settings\Matt\Cookies\matt@go[2].txt
Spyware:Cookie/Searchportal Not disinfected G:\Documents and Settings\Matt\Cookies\matt@searchportal.informatio n[1].txt
Spyware:Cookie/Media-motor Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{15EF571A-54D6-4EC3-A032-0EA83CC96B54}.txt[{15EF571A-54D6-4EC3-A032-0EA83CC96B54}.txt]
Spyware:Cookie/go Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{19439991-5351-40A8-BF41-39F7E76D7D8B}.txt[{19439991-5351-40A8-BF41-39F7E76D7D8B}.txt]
Spyware:Cookie/Peel Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{398647DF-2886-4D1E-B591-5E76F77AB67A}.txt[{398647DF-2886-4D1E-B591-5E76F77AB67A}.txt]
Spyware:Cookie/RealMedia Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{3B08FE9D-71CD-4D99-8062-D825DF1B88B9}.txt[{3B08FE9D-71CD-4D99-8062-D825DF1B88B9}.txt]
Spyware:Cookie/go Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{415BE379-9105-41C9-9F5D-79CB80974C87}.txt[{415BE379-9105-41C9-9F5D-79CB80974C87}.txt]
Spyware:Cookie/Belnk Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{41C69E4E-E3AB-49D3-9B68-3996088BFD56}.txt[{41C69E4E-E3AB-49D3-9B68-3996088BFD56}.txt]
Spyware:Cookie/go Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{61EF5AE1-84AF-4D14-83CD-DDDFF17A2B1D}.txt[{61EF5AE1-84AF-4D14-83CD-DDDFF17A2B1D}.txt]
Spyware:Cookie/Belnk Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{636ED8B9-6D69-4005-B342-6F261B257519}.txt[{636ED8B9-6D69-4005-B342-6F261B257519}.txt]
Spyware:Cookie/Atwola Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{833A48A1-D962-4FE6-B4FD-08D64AC2DA0B}.txt[{833A48A1-D962-4FE6-B4FD-08D64AC2DA0B}.txt]
Spyware:Cookie/LinkExchange Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{B4C7D032-57B8-401C-9032-EA61CCE739F2}.txt[{B4C7D032-57B8-401C-9032-EA61CCE739F2}.txt]
Spyware:Cookie/Bfast Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{BCA421E4-2EAE-47F8-82B7-8AECAA6AD2EE}.txt[{BCA421E4-2EAE-47F8-82B7-8AECAA6AD2EE}.txt]
Spyware:Cookie/Searchportal Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{C19F69D9-61FD-461C-A33A-E7FF6301B224}.txt[{C19F69D9-61FD-461C-A33A-E7FF6301B224}.txt]
Spyware:Cookie/Azjmp Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{DC3B71EF-A2C1-4660-A614-57D433007C3B}.txt[{DC3B71EF-A2C1-4660-A614-57D433007C3B}.txt]
Spyware:Cookie/Maxserving Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{E78FBADE-1BB7-4EFB-B0E1-18B2635177DD}.txt[{E78FBADE-1BB7-4EFB-B0E1-18B2635177DD}.txt]
Spyware:Cookie/Screensavers Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{E951E2D8-4D2C-4625-B257-629C1C9A2CEA}.txt[{E951E2D8-4D2C-4625-B257-629C1C9A2CEA}.txt]
Spyware:Cookie/Adrevolver Not disinfected G:\Program Files\iolo\System Mechanic 6\Undo\Manual\{965B01F8-40DB-4A9D-AAB5-35461BAC13B2}\{F6E754D5-619C-44AC-93EA-1DD0B603B09C}.txt[{F6E754D5-619C-44AC-93EA-1DD0B603B09C}.txt]
Dialer

ialer.B Not disinfected G:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
Spyware:Spyware/BetterInet Not disinfected G:\WINDOWS\inf\mmaker2.inf

Neal · #6 (**permalink**) 27-03-2006, 10:38 PM

Hi,

Download KillBox from here:---Please download TheKillbox by Option^Explicit.
from here:
http://downloads.subratam.org/KillBox.zip
or here:
http://download.broadbandmedic.com/
or here:
http://www.bleepingcomputer.com/file...re/KillBox.zip
Unzip it to the desktop but do NOT run it yet.

1) Open up kill box now.

2) Select "Delete on Reboot".

3) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\kwv2.dat
C:\WINDOWS\pf78bb.exe
G:\WINDOWS\inf\mmaker2.inf

4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Also give me a new hijackthis log with feed back on how your computer is running now.

judas · #7 (**permalink**) 27-03-2006, 11:32 PM

Hello again. I have the hijack this logs after completing the kill box operation.

Logfile of HijackThis v1.99.1
Scan saved at 3:39:55 PM, on 3/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\ms0509283-3207.exe
C:\WINDOWS\errorhandler.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\DOCUME~1\Matt\LOCALS~1\Temp\cinfo.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\PROGRA~1\MESSEN~1\Msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Matt\LOCALS~1\Temp\Rar$EX00.422\Hijack This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit.exe,wlcclpl.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BMG3.LongTooth - {8110581C-FEA4-47AC-ADBC-DE958DD0F354} - C:\WINDOWS\system32\{8110581C-FEA4-47AC-ADBC-DE958DD0F354}.dll (file missing)
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic 6\delay.exe
O4 - HKLM\..\Run: [ms0509283-3207] C:\WINDOWS\ms0509283-3207.exe
O4 - HKLM\..\Run: [uyilbi] C:\WINDOWS\system32\vheubj.exe reg_run
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [rupnc] C:\WINDOWS\system32\vheubj.exe reg_run
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - https://www-secure.symantec.com/tech...rl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - https://www-secure.symantec.com/tech...rl/tgctlsr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {D3A7982E-915D-4589-8ECE-249F70D0C941} (Launch Control) - http://aaotracker.4players.de/LaunchGame.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Neal · #8 (**permalink**) 28-03-2006, 02:10 AM

This stuff isn't going away very good.

Create a folder such as C:\HJT or C:\Program Files\HJT and move HJT.exe into the newly created folder so we can have avaiable backups in case you fix the wrong thing or I make a mistake. Very important.

Go into your task manager and end process on these(hilite and click end process button):If they are there

ms0509283-3207.exe
vheubj.exe
errorhandler.exe

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Run Ewido while in safe mode and post that log please.

Scan with hijackthis while in safe mode and fix these again:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit.exe,wlcclpl.exe

O2 - BHO: BMG3.LongTooth - {8110581C-FEA4-47AC-ADBC-DE958DD0F354} - C:\WINDOWS\system32\{8110581C-FEA4-47AC-ADBC-DE958DD0F354}.dll (file missing)

O4 - HKLM\..\Run: [ms0509283-3207] C:\WINDOWS\ms0509283-3207.exe
O4 - HKLM\..\Run: [uyilbi] C:\WINDOWS\system32\vheubj.exe reg_run
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKCU\..\Run: [rupnc] C:\WINDOWS\system32\vheubj.exe reg_run

O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)

Again make sure all browser windows are closed and click FIX

Hunt for and delete if present:

C:\WINDOWS\ms0509283-3207.exe < file
C:\WINDOWS\system32\vheubj.exe reg_run < file
C:\WINDOWS\errorhandler.exe < file

Reboot

Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal Start

Post a new HJT log for further review