Think I may have malware/spyware 1

zoroaster · May 17, 2006

OK, hands up, my fault; my Antivirus software is out of date (McAfee). I dloaded mediacodec-v4.732.exe and now I've run it I seem to have software installed that is allowing all sorts of advertising popups and stuff, including from Falcon Antivirus!? I did a HijackThis scan, but I've not the experience to know what I'm looking at. Can anyone help?

Code:

Logfile of HijackThis v1.99.1
Scan saved at 07:11:59, on 18/05/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\ntvdm.exe
C:\PROGRA~1\BTBROA~1\SMARTB~1\SBHookSvc.exe
C:\Program Files\BT Broadband Help\bin\mpbtn.exe
C:\OPLIMIT\ocrawr32.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\BT Broadband Help\bin\BTHelp.exe
C:\PROGRA~1\Motive\Common\MOTIVE~1.EXE
C:\Program Files\Soulseek-Test\slsk.exe
C:\WINNT\system32\atmclk.exe
C:\WINNT\system32\dcomcfg.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [URL unfurl="true"]http://www.btbroadbandstart.com/[/URL]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINNT\system32\hp99.tmp
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Internet Explorer AutoUp..] svchost32.exe
O4 - HKLM\..\Run: [KIHC] C:\WINNT\reufcp.exe
O4 - HKLM\..\Run: [¢‰¸ÓÝ4‚’È
¤Á<??ÉoUC:\Program Files\ISTsvc\istsvc.exe] C:\WINNT\reufcp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\RunServices: [Internet Explorer AutoUp..] svchost32.exe
O4 - HKCU\..\Run: [Windows DNS Daemon] windnsd.exe
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\BTBROA~1\SMARTB~1\SBHookSvc.exe

Many thanks in advance

Laters, Z

"42??? We're going to get lynched!

pechenegs · May 18, 2006

hi there,

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
[URL unfurl="true"]http://www.beyondlogic.org/consulting/proc...processutil.htm[/url]

Removal using the Adware.Istbar Removal Tool istsvc.exe

http://securityresponse.symantec.com/avcenter/venc/data/adware.istbar.html

http://securityresponse.symantec.com/avcenter/FxIstbar.exe

post back with another hijack this log and the smitfraud log|!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

pechenegs · May 18, 2006

Also do this to!

Go here and downlaod the latest version of java, once
downloaded, go to add/remove and uninstall all previous versions of java
from add/remove and then instlall the latest version you just downloaded!

http://java.com/en/download/manual.jsp

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

zoroaster · May 18, 2006

Thanks

I'll try this tonight, and let you know the results

Cheers,

Laters, Z

"42??? We're going to get lynched!

pechenegs · May 18, 2006

You are infected, so after downlaoding smitfraud run this bit, skip the first, but save the log and post it back as you have another virus.

Download the pocket killbox

http://www.bleepingcomputer.com/files/killbox.php

* Download the trial version of Ewido Security Suite here

http://www.ewido.net/en/

* Install ewido.
* During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
* Launch ewido
* It will prompt you to update click the OK button and it will go to the main screen
* On the left side of the main screen click update
* Click on Start and let it update.
* DO NOT run a scan yet. You will do that later in safe mode.

* Click here to download ATF Cleaner by Atribune and save it to your desktop.

http://majorgeeks.com/ATF_Cleaner_d4949.html

* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.
o If you use Firefox:
+ Click Firefox at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
o If you use Opera:
+ Click Opera at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
* Click Exit on the Main menu to close the program.

* Click here for info on how to boot to safe mode if you don't already know
how.

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.

* Restart your computer into safe mode now. Perform the following steps in
safe mode:

have hijack this fix these entries. close all browsers and programmes before
clicking FIX.

O4 - HKLM\..\Run: [Internet Explorer AutoUp..] svchost32.exe
O4 - HKLM\..\Run: [KIHC] C:\WINNT\reufcp.exe
O4 - HKLM\..\Run: [¢‰¸ÓÝ4‚’È
¤Á<??ÉoUC:\Program Files\ISTsvc\istsvc.exe] C:\WINNT\reufcp.exe
O4 - HKCU\..\Run: [Windows DNS Daemon] windnsd.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.

Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.

C:\WINNT\reufcp.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINNT\system32\windnsd.exe
C:\WINNT\windnsd.exe

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning: running option #2 on a non infected computer will remove your Desktop background.

* Run Ewido:

* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

reboot to normal mode and run a few online scans!

Run ActiveScan online virus scan here

http://www.pandasoftware.com/products/activescan.htm

When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.
- Save the results from the scan!

post another hijack this log, the ewido, smitfraud and active scan logs

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

erikhertzel · May 18, 2006

Once you have done what pechenegs has told you to do (excellent information), look into the following:

Webroot Spysweeper

Download it here:

http://www.sabethacomputing.com/downloads.html

Webroot Spysweeper 14 day Trial

Update the defs and do a sweep.

Check out this nice product:

Super Antispyware

http://www.sabethacomputing.com/downloads/SUPERAntiSpyware.exe

Update it and run and run a complete scan.

Good luck

Erik

zoroaster · May 20, 2006

Pechenegs:

Downloaded FxIstbar.exe and FxIstbar-1.exe
(is this just 2 links to the same app. or are they different?)

Rapport.txt:

SmitFraudFix v2.45

Scan done at 14:35:01.52, Sat 20/05/2006
Run from C:\Documents and Settings\User\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195]

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32

C:\WINNT\system32\atmclk.exe FOUND !
C:\WINNT\system32\dcomcfg.exe FOUND !
C:\WINNT\system32\hp????.tmp FOUND !
C:\WINNT\system32\ld????.tmp FOUND !
C:\WINNT\system32\ot.ico FOUND !
C:\WINNT\system32\regperf.exe FOUND !
C:\WINNT\system32\simpole.tlb FOUND !
C:\WINNT\system32\stdole3.tlb FOUND !
C:\WINNT\system32\1024\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\User\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\User\FAVORI~1

C:\DOCUME~1\User\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{89aef01d-d237-49c7-84dc-4e1904c1fd31}"="AutoDisc Ware"

[HKEY_CLASSES_ROOT\CLSID\{89aef01d-d237-49c7-84dc-4e1904c1fd31}\InProcServer32]
@="C:\WINNT\system32\sbnudh.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{89aef01d-d237-49c7-84dc-4e1904c1fd31}\InProcServer32]
@="C:\WINNT\system32\sbnudh.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

------------------------
Process.exe downloaded
2nd URL to beyondlogic Error 404 - broken link

Process.exe extracted and run

re. your 2nd post

"run this bit, skip the first, but save the log and post it back as you have another virus" - not sure what 'bit' you're referring to here?

Run Symantec Adware.Istbar/Trojan.ISTsvc Removal Tool:
35656 files scanned
1 deleted
0 threat processes terminated
0 other threat procs terminated
10 registry files fixed

I've got to close firefox to uninstall Java, so I'll sign off this post and continue on another

Laters, Z

"42??? We're going to get lynched!

zoroaster · May 20, 2006

continues:

Java unistalled and reinstalled

Pocket Killbox downloaded
(not sure what in particular to use this to delete)

Ewido downloaded and installed and updated

ATF downloaded and run - emptied all, and again for firefox

OK, next step reboot into safe mode, so I'll sign off
again.

Laters, Z

"42??? We're going to get lynched!

pechenegs · May 20, 2006

ok, it is the same tool just a couple of links to symantec for fixistbar.

Ok run the second part of smitfraud and all the rest of the tools and post all the logs.See the instructiosn below in this post, save these to notepad for when you boot into safemode!

* Restart your computer into safe mode now. Perform the following steps in
safe mode:

have hijack this fix these entries. close all browsers and programmes before
clicking FIX.

O4 - HKLM\..\Run: [Internet Explorer AutoUp..] svchost32.exe
O4 - HKLM\..\Run: [KIHC] C:\WINNT\reufcp.exe
O4 - HKLM\..\Run: [¢‰¸ÓÝ4‚’È
¤Á<??ÉoUC:\Program Files\ISTsvc\istsvc.exe] C:\WINNT\reufcp.exe
O4 - HKCU\..\Run: [Windows DNS Daemon] windnsd.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.

Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.

C:\WINNT\reufcp.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINNT\system32\windnsd.exe
C:\WINNT\windnsd.exe

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning: running option #2 on a non infected computer will remove your Desktop background.

* Run Ewido:

* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

reboot to normal mode and run a few online scans!

Run ActiveScan online virus scan here

http://www.pandasoftware.com/products/activescan.htm

When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.
- Save the results from the scan!

post another hijack this log, the ewido, smitfraud and active scan logs

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

zoroaster · May 20, 2006

HijackThis fixed all entries

Killbox - entered all paths but no files found - did a search for windnsd.exe but not found anywhere on system

Smitfraudfix also run - no prompt to say wininet.dll infected

Ewido run (in normal mode) -318 infected files removed, report saved. I noticed then that you instructed a reboot to normal mode, so wasn't sure if Ewido should have been run in safe mode - to be on the safe side I reran in safe mode and got an all clear.

PandaScan wouldn't run in Firefox so I had to resort to IE

LOGS:

FxIstbar.log
------------
Symantec Adware.Istbar / Trojan.ISTsvc Removal Tool 1.1.0

registry: HKEY_USERS\S-1-5-21-583907252-1343024091-1202660629-500\Software\IST (key deleted)
registry: HKEY_USERS\S-1-5-21-583907252-1343024091-1202660629-500\Software\Microsoft\Internet Explorer\Explorer Bars\{8CBA1B49-8144-4721-A7B1-64C578C9EED7} (key deleted)
registry: HKEY_USERS\S-1-5-21-583907252-1343024091-1202660629-500\Software\Microsoft\Internet Explorer\Extensions\CmdMapping: {10E42047-DEB9-4535-A118-B3F6EC39B807} (value deleted)
registry: HKEY_USERS\S-1-5-21-583907252-1343024091-1202660629-500\Software\Microsoft\Internet Explorer\Main: BandRest (value deleted)
registry: HKEY_USERS\S-1-5-21-583907252-1343024091-1202660629-500\Software\Microsoft\Internet Explorer\Main: Search Page_bak (value deleted)
registry: HKEY_USERS\S-1-5-21-583907252-1343024091-1202660629-500\Software\Microsoft\Internet Explorer\Main: Use Search Assistant (value deleted)
registry: HKEY_USERS\S-1-5-21-583907252-1343024091-1202660629-500\Software\Microsoft\Internet Explorer\Search: SearchAssistant (value deleted)
registry: HKEY_USERS\S-1-5-21-583907252-1343024091-1202660629-500\SOFTWARE\PowerScan (key deleted)

C:\Documents and Settings\Administrator\Local Settings\Temp\sidefind.exe: (deleted)
F:\System Volume Information: (not scanned)

registry: HKEY_USERS\S-1-5-21-583907252-1343024091-1202660629-500\Software\Microsoft\Internet Explorer\Main: Start Page (value set to "about:blank")
registry: HKEY_USERS\S-1-5-21-583907252-1343024091-1202660629-500\Software\Microsoft\Internet Explorer\Main: Search Page (value set to "

http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch")

Adware.Istbar has been successfully removed from your computer!

Here is the report:

The total number of the scanned files: 35656
The number of deleted files: 1
The number of threat processes terminated: 0
The number of other processes terminated: 0
The number of registry entries fixed: 10

------------------------------------------
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 17:31:58, 20/05/2006
+ Report-Checksum: C7C32C34

+ Scan result:

HKLM\SOFTWARE\Classes\FWN.FWNToolbar -> Adware.FindWhateverNow : Cleaned with backup
HKLM\SOFTWARE\Classes\FWN.FWNToolbar\Clsid -> Adware.FindWhateverNow : Cleaned with backup
HKLM\SOFTWARE\Classes\FWN.ISubclass -> Adware.FindWhateverNow : Cleaned with backup
HKLM\SOFTWARE\Classes\FWN.ISubclass\Clsid -> Adware.FindWhateverNow : Cleaned with backup
HKLM\SOFTWARE\Classes\HungryHands.HungryBHO -> Adware.HungryHands : Cleaned with backup
HKLM\SOFTWARE\Classes\HungryHands.HungryBHO\CLSID -> Adware.HungryHands : Cleaned with backup
HKLM\SOFTWARE\Classes\HungryHands.HungryBHO\CurVer -> Adware.HungryHands : Cleaned with backup
HKLM\SOFTWARE\Classes\HungryHands.HungryBHO.1 -> Adware.HungryHands : Cleaned with backup
HKLM\SOFTWARE\Classes\ImgConv.clsImgConv -> Adware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Classes\ImgConv.clsImgConv\Clsid -> Adware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows SR 3.0 -> Adware.BlazeFind : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows SR 3.0\- -> Adware.BlazeFind : Cleaned with backup
[944] C:\WINNT\system32\sbnudh.dll -> Trojan.Fakealert : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Pro-market : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Pro-market : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Spylog : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Paycounter : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Thunderdownloads : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Thunderdownloads : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@as1.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@www.ysbweb[1].txt -> TrackingCookie.Ysbweb : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\targetsaver.exe -> Downloader.TSUpdate.f : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\TMP10.tmp -> Adware.WebSpecial : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\TMP16.tmp -> Adware.SurfBuddy : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\TMPF.tmp -> Adware.WebSpecial : Cleaned with backup
:mozilla.21:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.23:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.28:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.29:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.30:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.31:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.32:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.33:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.34:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.35:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.36:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.37:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.38:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.39:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.40:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.41:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.42:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.43:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.44:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.45:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.46:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.47:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.48:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.49:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.50:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.51:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.52:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.53:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.54:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.55:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.56:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.57:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.58:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.59:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.60:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.61:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.62:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.63:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.64:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.65:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.66:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.67:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.73:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.74:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.81:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Adviva : Cleaned with backup
:mozilla.83:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.84:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.101:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup
:mozilla.102:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup
:mozilla.103:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup
:mozilla.104:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup
:mozilla.105:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup
:mozilla.149:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.150:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.151:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.152:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.153:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.154:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.157:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.160:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.161:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.162:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.163:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.167:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.203:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.217:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.218:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.219:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.220:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.258:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.263:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.264:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.273:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.274:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.275:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.276:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.277:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.278:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.279:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.292:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.293:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.307:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.308:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.309:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.310:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.311:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.312:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.313:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.314:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.315:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.316:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.317:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.318:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.319:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.320:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.321:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.322:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.323:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.324:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.325:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.326:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.327:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.328:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.329:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.330:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.331:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.332:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.333:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.334:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.341:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.342:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.370:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.371:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.372:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.373:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.374:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.375:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.394:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Estat : Cleaned with backup
:mozilla.422:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.423:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.434:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned with backup
:mozilla.478:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Ivwbox : Cleaned with backup
:mozilla.535:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.553:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.554:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.557:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Paycounter : Cleaned with backup
:mozilla.558:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Paycounter : Cleaned with backup
:mozilla.565:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.573:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.574:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.575:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.576:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.588:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.589:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.590:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.591:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.592:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.605:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.606:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.607:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.608:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.609:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.619:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Spylog : Cleaned with backup
:mozilla.621:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.622:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.623:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.624:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.625:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.626:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.627:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.628:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.629:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.630:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.631:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.632:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.633:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.634:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.635:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.636:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.637:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.638:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.639:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.640:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.641:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.642:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.643:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.644:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.645:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.646:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.647:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.648:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.649:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.650:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.651:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.652:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.653:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.654:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.655:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.656:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.657:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.658:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.659:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.660:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.661:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.662:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.663:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.664:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.665:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.666:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.667:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.668:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.669:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.670:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.673:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.674:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.691:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.692:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.693:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.694:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.695:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.696:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.743:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Yadro : Cleaned with backup
:mozilla.749:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.753:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.754:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.756:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.757:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.758:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.759:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned with backup
:mozilla.767:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.768:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.769:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.770:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.773:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Counted : Cleaned with backup
:mozilla.791:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned with backup
:mozilla.796:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.797:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.798:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.799:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.804:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Tfag : Cleaned with backup
:mozilla.805:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Tfag : Cleaned with backup
:mozilla.806:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Tfag : Cleaned with backup
:mozilla.807:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Tfag : Cleaned with backup
:mozilla.812:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.813:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.818:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.819:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.820:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.821:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.825:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.826:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.827:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.829:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.830:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.831:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.832:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.833:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.834:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.835:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.836:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.840:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.843:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.844:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.849:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Realtracker : Cleaned with backup
:mozilla.896:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.897:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.898:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.899:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.900:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.901:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.902:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
C:\jocker.exe -> Dropper.Small.nm : Cleaned with backup
C:\Program Files\WebSpecials\uninst.exe -> Adware.WebSpecial : Cleaned with backup
C:\WINNT\system32\AcsProxy.dll -> Adware.FWN : Cleaned with backup
C:\WINNT\system32\sbnudh.dll -> Trojan.Fakealert : Cleaned with backup

::Report End
---------------------------------------------------------
Rapport:
SmitFraudFix v2.45

Scan done at 16:40:11.34, Sat 20/05/2006
Run from C:\Documents and Settings\User\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINNT\system32\atmclk.exe Deleted
C:\WINNT\system32\dcomcfg.exe Deleted
C:\WINNT\system32\hp????.tmp Deleted
C:\WINNT\system32\ld????.tmp Deleted
C:\WINNT\system32\ot.ico Deleted
C:\WINNT\system32\regperf.exe Deleted
C:\WINNT\system32\simpole.tlb Deleted
C:\WINNT\system32\stdole3.tlb Deleted
C:\WINNT\system32\1024\ Deleted
C:\DOCUME~1\User\FAVORI~1\Antivirus Test Online.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End

---------------------------------------------------------
HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 19:10:59, on 20/05/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\BT Broadband Help\bin\mpbtn.exe
C:\OPLIMIT\ocrawr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\BTBROA~1\SMARTB~1\SBHookSvc.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://www.btbroadbandstart.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\RunServices: [Internet Explorer AutoUp..] svchost32.exe
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7AAED621-40C8-40D2-87ED-0CEA31D0D8D9}: NameServer = 194.74.65.69 194.72.9.34
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\BTBROA~1\SMARTB~1\SBHookSvc.exe

-----------------------------------------
PandaActive:

Incident Status Location

Adware:adware/keenvalue Not disinfected c:\winnt\system32\drivers\etc\hosts.bho
Adware:adware/wupd Not disinfected c:\program files\WebSpecials
Adware:adware/cws Not disinfected C:\Documents and Settings\User\Favorites\Technology
Dialer:dialer.su Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\uninstall\Switch
Adware:adware/hungryhands Not disinfected Windows Registry
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@adopt.hbmediapro[1].txt
Spyware:Cookie/Adwareremover Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@adwareremovergold[2].txt
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\webr.exe[WebRebates1.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\webr.exe[WebRebates0.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\webr.exe[disp1150.exe]
Spyware:Cookie/Spyfalcon Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt[www.spyfalcon.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/Apmebf Not disinfected

zoroaster · May 20, 2006

Ah, think I've found the max length of a post!

from where I left off:

ActiveScan Log

Incident Status Location

Adware:adware/keenvalue Not disinfected c:\winnt\system32\drivers\etc\hosts.bho
Adware:adware/wupd Not disinfected c:\program files\WebSpecials
Adware:adware/cws Not disinfected C:\Documents and Settings\User\Favorites\Technology
Dialer:dialer.su Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\uninstall\Switch
Adware:adware/hungryhands Not disinfected Windows Registry
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rv2xmiy6.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@adopt.hbmediapro[1].txt
Spyware:Cookie/Adwareremover Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@adwareremovergold[2].txt
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\webr.exe[WebRebates1.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\webr.exe[WebRebates0.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\webr.exe[disp1150.exe]
Spyware:Cookie/Spyfalcon Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt[www.spyfalcon.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt[.belnk.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt[.ct.360i.com/]
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt[.fortunecity.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Mp3search Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt[.mp3search.ru/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt[.tucows.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt[.uol.com.br/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt[.xmts.net/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\zhc38q27.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\User\Cookies\user@questionmarket[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\User\Desktop\SmitfraudFix\Process.exe
Adware:Adware/WUpd Not disinfected C:\lc2.html
Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\SetUp Programs\process203.zip[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\SetUp Programs\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\unzipped\process203\Process.exe
Adware:Adware/WinTools Not disinfected C:\WINNT\Key3.txt
Virus:W32/Gaobot.FEK.worm Disinfected C:\WINNT\system32\TFTP696

...post continues

Laters, Z

"42??? We're going to get lynched!

zoroaster · May 20, 2006

/continued:

SmitFraudFix v2.45

Scan done at 16:40:11.34, Sat 20/05/2006
Run from C:\Documents and Settings\User\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINNT\system32\atmclk.exe Deleted
C:\WINNT\system32\dcomcfg.exe Deleted
C:\WINNT\system32\hp????.tmp Deleted
C:\WINNT\system32\ld????.tmp Deleted
C:\WINNT\system32\ot.ico Deleted
C:\WINNT\system32\regperf.exe Deleted
C:\WINNT\system32\simpole.tlb Deleted
C:\WINNT\system32\stdole3.tlb Deleted
C:\WINNT\system32\1024\ Deleted
C:\DOCUME~1\User\FAVORI~1\Antivirus Test Online.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End

.../continues

Laters, Z

"42??? We're going to get lynched!

zoroaster · May 20, 2006

...and finally the HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 19:10:59, on 20/05/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\BT Broadband Help\bin\mpbtn.exe
C:\OPLIMIT\ocrawr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\BTBROA~1\SMARTB~1\SBHookSvc.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://www.btbroadbandstart.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\RunServices: [Internet Explorer AutoUp..] svchost32.exe
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7AAED621-40C8-40D2-87ED-0CEA31D0D8D9}: NameServer = 194.74.65.69 194.72.9.34
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\BTBROA~1\SMARTB~1\SBHookSvc.exe

From the ActiveScan it looks like I've still got some infections to get rid of.

I am reallu very grateful for your continuing patience and advice! Many many thanks

Laters, Z

"42??? We're going to get lynched!

pechenegs · May 20, 2006

ok just a bit of cleaning up to do!

* Go to Control Panel > Internet Options. On the General tab under
"Temporary Internet Files" Click "Delete Files". Put a check by "Delete
Offline Content" and click OK. Click on the "Delete Cookies" button to clear
the cookies.

For Mozilla

To block cookies in mozilla and stop them from coming back click on
tools/ options/privacy/click view cookies, now you will now see a
list of cookies, click on all the cookies to delete that you don't want
to keep! You can view all the blocked cookies by clicking exceptions!

* Restart your computer into safe mode now. Perform the following steps in
safe mode:

have hijack this fix these entries. close all browsers and programmes before
clicking FIX.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.

Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.

c:\winnt\system32\drivers\etc\hosts.bho
c:\program files\WebSpecials C:\Documents and Settings\User\Favorites\Technology
C:\lc2.html
C:\WINNT\Key3.txt

go to this site and download these tools and once you get both
adaware Se 1.6 and spybot, update both of them.

Set adaware to do a full system scan and deselect, "search for neglible risk
entries". Click next to start the scan. Delete everything adaware finds.

reboot and now run spybot

Spybot: Search and destroy.

Delete what spybot finds marked in red. After updating spybot hit the
immunize button.

Go here and download Microsoft® Windows Defender. First in the top menu click
File then Check for updates to download the definitons updates.

After updating look in the right side of the main window under "Run Quick
Scan Now" and click Spyware scan options. In that window put a tick by Run a
full system scan and then put a check by all three options below that then
click Run Scan now.

When the scan is finished, let it fix anything that it finds (have it
quarantine the items that have that option rather than delete just in case.
It is a beta program and there may be false positives)

Restart your computer.

All tools can be downloaded at the link below and found on that page!

. Microsoft® Windows Defender!
. SpyBot search and destroy
. AdAware SE personal

http://www.majorgeeks.com/downloads31.html

post another log

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

zoroaster · May 21, 2006

Hi again

OK, instructions followed:
Temp Internet files/cookies deleted apart from a few I recognised.

Had to download Windows Defender and AdAware in normal mode as Safe Mode won't let me connect to internet via normal route.
Already have Spybot - updated definitions on all 3. Had some trouble with Windows Defender as GDI+ not installed, but got that from MS dload centre.

Windows Defender wouldn't start is Safe Mode, so run in mormal: found and deleted RBot, RapidBlaster and Find Whatever Now (deleted rather than quarantined as I'd not read your parenthetical comment before actioning, but reran after and it came up all clear).

SpyBot found no threat.

AdAware found and deleted a bunch of stuff, log follows:

Code:

Ad-Aware SE Build 1.06r1
Logfile Created on:21 May 2006 17:45:59
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R108 17.05.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Alexa(TAC index:5):1 total references
BlazeFind(TAC index:5):1 total references
EzuLa(TAC index:6):2 total references
FindWhateverNow(TAC index:7):4 total references
HungryHands BHO(TAC index:3):5 total references
Tracking Cookie(TAC index:3):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


21-05-2006 17:45:59 - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
    FilePath           : \SystemRoot\System32\
    ProcessID          : 116
    ThreadCreationTime : 21-05-2006 16:23:15
    BasePriority       : Normal


#:2 [csrss.exe]
    FilePath           : \??\C:\WINNT\system32\
    ProcessID          : 144
    ThreadCreationTime : 21-05-2006 16:23:28
    BasePriority       : Normal


#:3 [winlogon.exe]
    FilePath           : \??\C:\WINNT\system32\
    ProcessID          : 164
    ThreadCreationTime : 21-05-2006 16:23:29
    BasePriority       : High


#:4 [services.exe]
    FilePath           : C:\WINNT\system32\
    ProcessID          : 192
    ThreadCreationTime : 21-05-2006 16:23:31
    BasePriority       : Normal
    FileVersion        : 5.00.2195.7035
    ProductVersion     : 5.00.2195.7035
    ProductName        : Microsoft(R) Windows (R) 2000 Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Services and Controller app
    InternalName       : services.exe
    LegalCopyright     : Copyright (C) Microsoft Corp. 1981-1999
    OriginalFilename   : services.exe

#:5 [lsass.exe]
    FilePath           : C:\WINNT\system32\
    ProcessID          : 204
    ThreadCreationTime : 21-05-2006 16:23:31
    BasePriority       : Normal
    FileVersion        : 5.00.2195.7011
    ProductVersion     : 5.00.2195.7011
    ProductName        : Microsoft(R) Windows (R) 2000 Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : LSA Executable and Server DLL (Export Version)
    InternalName       : lsasrv.dll and lsass.exe
    LegalCopyright     : Copyright (C) Microsoft Corp. 1981-1999
    OriginalFilename   : lsasrv.dll and lsass.exe

#:6 [svchost.exe]
    FilePath           : C:\WINNT\system32\
    ProcessID          : 360
    ThreadCreationTime : 21-05-2006 16:23:34
    BasePriority       : Normal
    FileVersion        : 5.00.2134.1
    ProductVersion     : 5.00.2134.1
    ProductName        : Microsoft(R) Windows (R) 2000 Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName       : svchost.exe
    LegalCopyright     : Copyright (C) Microsoft Corp. 1981-1999
    OriginalFilename   : svchost.exe

#:7 [winmgmt.exe]
    FilePath           : C:\WINNT\System32\WBEM\
    ProcessID          : 384
    ThreadCreationTime : 21-05-2006 16:23:34
    BasePriority       : Normal
    FileVersion        : 1.50.1085.0100
    ProductVersion     : 1.50.1085.0100
    ProductName        : Windows Management Instrumentation
    CompanyName        : Microsoft Corporation
    FileDescription    : Windows Management Instrumentation
    InternalName       : WINMGMT
    LegalCopyright     : Copyright (C) Microsoft Corp. 1995-1999

#:8 [explorer.exe]
    FilePath           : C:\WINNT\
    ProcessID          : 392
    ThreadCreationTime : 21-05-2006 16:27:05
    BasePriority       : Normal
    FileVersion        : 5.00.3700.6690
    ProductVersion     : 5.00.3700.6690
    ProductName        : Microsoft(R) Windows (R) 2000 Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Windows Explorer
    InternalName       : explorer
    LegalCopyright     : Copyright (C) Microsoft Corp. 1981-1999
    OriginalFilename   : EXPLORER.EXE

#:9 [ad-aware.exe]
    FilePath           : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
    ProcessID          : 248
    ThreadCreationTime : 21-05-2006 16:28:13
    BasePriority       : Normal
    FileVersion        : 6.2.0.236
    ProductVersion     : SE 106
    ProductName        : Lavasoft Ad-Aware SE
    CompanyName        : Lavasoft Sweden
    FileDescription    : Ad-Aware SE Core application
    InternalName       : Ad-Aware.exe
    LegalCopyright     : Copyright © Lavasoft AB Sweden
    OriginalFilename   : Ad-Aware.exe
    Comments           : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 EzuLa Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 6
    Category           : Data Miner
    Comment            : 
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : interface\{68831d00-169e-4feb-89b9-e099df439321}

 FindWhateverNow Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 7
    Category           : Malware
    Comment            : 
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : clsid\{3d156636-3f7e-46c9-9ac1-5e4d8202aa23}

 FindWhateverNow Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 7
    Category           : Malware
    Comment            : 
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : interface\{3dbbf8b7-a97c-4a92-8d27-d29222e6b60f}

 FindWhateverNow Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 7
    Category           : Malware
    Comment            : 
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : interface\{ea9d65a3-8fa2-433e-9caf-68c6e43555af}

 FindWhateverNow Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 7
    Category           : Malware
    Comment            : 
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : typelib\{0e9db3ab-d16a-47cf-b59a-f74d649bea5b}

 HungryHands BHO Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 3
    Category           : Malware
    Comment            : 
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : appid\hungryhands.dll

 HungryHands BHO Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 3
    Category           : Malware
    Comment            : 
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : appid\{03f8822f-8877-4002-8bcd-b532d53d8471}

 HungryHands BHO Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 3
    Category           : Malware
    Comment            : 
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : clsid\{bcf96fb4-5f1b-497b-aecc-910304a55011}

 HungryHands BHO Object Recognized!
    Type               : RegValue
    Data               : 
    TAC Rating         : 3
    Category           : Malware
    Comment            : 
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : clsid\{bcf96fb4-5f1b-497b-aecc-910304a55011}
    Value              : AppID

 HungryHands BHO Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 3
    Category           : Malware
    Comment            : 
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : interface\{f8fb4ea2-6c05-4de5-8cd0-625b03f48e22}

 Alexa Object Recognized!
    Type               : RegValue
    Data               : 
    TAC Rating         : 5
    Category           : Data Miner
    Comment            : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
    Rootkey            : HKEY_USERS
    Object             : S-1-5-21-583907252-1343024091-1202660629-1000\software\microsoft\internet explorer\extensions\cmdmapping
    Value              : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 11
Objects found so far: 11


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 11


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 11



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 BlazeFind Object Recognized!
    Type               : File
    Data               : Key3.txt
    TAC Rating         : 5
    Category           : Malware
    Comment            : 
    Object             : C:\!KillBox\



 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : administrator@dcsgcxwngpifwznfzlmv83o6w_5w4m[1].txt
    TAC Rating         : 3
    Category           : Data Miner
    Comment            : 
    Value              : C:\Documents and Settings\Administrator\Cookies\administrator@dcsgcxwngpifwznfzlmv83o6w_5w4m[1].txt

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 13


Deep scanning and examining files (F:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for F:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 13


Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 13




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 EzuLa Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 6
    Category           : Data Miner
    Comment            : 
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : software\microsoft\downloadmanager

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 14

17:52:05 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:06:05.165
Objects scanned:80532
Objects identified:14
Objects ignored:0
New critical objects:14

So, big question - am I home and dry now, or at least home and vigorously towelling myself off?

I've just run another HijackThis: logfile:

Code:

Logfile of HijackThis v1.99.1
Scan saved at 18:33:36, on 21/05/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\BT Broadband Help\bin\mpbtn.exe
C:\OPLIMIT\ocrawr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\BTBROA~1\SMARTB~1\SBHookSvc.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [URL unfurl="true"]http://www.btbroadbandstart.com/[/URL]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunServices: [Internet Explorer AutoUp..] svchost32.exe
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [URL unfurl="true"]http://acs.pandasoftware.com/activescan/as5free/asinst.cab[/URL]
O17 - HKLM\System\CCS\Services\Tcpip\..\{7AAED621-40C8-40D2-87ED-0CEA31D0D8D9}: NameServer = 194.74.65.69 194.72.9.34
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\BTBROA~1\SMARTB~1\SBHookSvc.exe

Any other sweeps I should run at this stage?

Once again, many thanks for your patience, help and consideration.

I need to consider options for updating my security, and I could use some advice, but I'll start another thread for that one.

Laters, Z

"42??? We're going to get lynched!

zoroaster · May 21, 2006

Oh, btw., it may be worth pointing out, Spybot only immunizes IE as far as I am aware, and I use Mozilla Firefox as I am given to understand that it is more secure from attack than IE and less prone to problems with pop-ups etc. Is there any way to immunize Firefox in a similar way that anyone knows of?

Laters, Z

"42??? We're going to get lynched!

pechenegs · May 21, 2006

Yes, we cna use spywareblaster to give added protection to Mozilla!

Clean log!

You should now turn off system restore to flush out the bad restore points and
then re-enable it and make a new clean restore point.

How to turn off system restore

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

http://support.microsoft.com/default.aspx?scid=kb;[LN];310405

Here's some free tools to keep you from getting infected in the future.

To stop reinfection get spywareblaster from

http://www.javacoolsoftware.com/downloads.html

get the hosts file from here.Unzip it to a folder!

http://www.mvps.org/winhelp2002/hosts.htm

put it into : or click the mvps bat and it should do it for you!

Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98\ME = C:\WINDOWS

ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

when you visit innocent-looking sites that aren't actually innocent at all.

https://netfiles.uiuc.edu/ehowes/www/resource.htm

http://www.spywarewarrior.com/uiuc/resource.htm

http://www.winpatrol.com/winpatrol.html

prev free

http://free.prevx.com/

Use spybot's immunize button and use spywareblaster' enable
protection once you update it. you can put spybot's hosts file into
your own and lock it.

I would also suggest switching to Mozilla's firefox browser, it's safer, has
a built in pop up blocker, blocks cookies and adds. Mozilla Thunderbird is also a good
e-mail client.

http://www.mozilla.org/

Another good and free browser is Opera!

http://www.opera.com/

Read here to see how to tighten your security:

http://forums.techguy.org/t208517.html

A good overall guide for firewalls, anti-virus, and anti-trojans as well as
regular spyware cleaners.

http://www.firewallguide.com/anti-trojan.htm

you can mark your own thread solved through thread tools at the top of
the page.

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

zoroaster · May 21, 2006

re. system restore: ok, but I'm using Win2000, and here system restore is like 'last known good configuration' - but how do I set a new good config in Win2000?

Laters, Z

"42??? We're going to get lynched!

zoroaster · May 21, 2006

Thanks very very much Pechenegs; your help and advice has been invaluable.

Couple of post-scripts:

you can mark your own thread solved through thread tools at the top of
the page

I can't find the tool mentioned to close the thread!
SpywareBlaster won't update - Error Connecting to Update Server; I've tried all combinations on the update options to no avail.
From what I can see System Restore only applies to XP, not 2000 - I assume I can therefore ignore this since I am running Win2000?

Anyway thanks again!!!

Cheers, Z

Laters, Z

"42??? We're going to get lynched!

pechenegs · May 21, 2006

oops, forget that, that info is for another forum!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Think I may have malware/spyware 1

Programmer

MIS

MIS

Programmer

MIS

MIS

Programmer

Programmer

MIS

Programmer

Programmer

Programmer

Programmer

MIS

Programmer

Programmer

MIS

Programmer

Programmer

MIS

Similar threads

Log in

Part and Inventory Search

Sponsor