Broadcaster Virus/Trojan

SquidVicious · 2007/04/08

This is the log I get from HiJackThis (which I renamed to HJT)

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:36:10 AM, on 4/8/2007
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\lsasss.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dan.123-O348O56RRHK\Desktop\HJT.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1b0777ba-bee8-4a3c-89d0-0068a1e225da} - C:\WINDOWS\system32\kbdmap.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\System32\tmp26.tmp.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\iihgfd.dll ",realset
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/21971219142ffd6dae18/netzip/RdxIE601.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: kbdmap - C:\WINDOWS\SYSTEM32\kbdmap.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 2808 bytes

Any help would be appreciated.

Squid

TeMerc · 2007/04/08

Hello and welcome to WindowsBBS Forums.

I see you're running the new Trend Micro HijackThis! beta version. We in the forums prefer at this time not to use it, until they have ironed out all the wrinkles, so would you please download the older version, 1.99.1 and run a new log.

Please download HijackThis! SetUp from here. Save the file to your desktop.

Double-click the HijackThis! SetUp icon to begin the installation. Follow the prompts for the default install location of:'C:\Program Files\HijackThis'. Tick the 'Create a desktop' button when the option appears. Select next, then allow HijackThis! to start.

Once installed, please rename the hijackthes.exe to any name of your choice, as long as it is something other than hijackthis.exe. Vundo like to hide itself from HJT.

Then press the [Scan] button. You will notice the [Scan] button will turn into a [Save Log] button. Click the [Save Log] button and notepad will open up with the contents of the scan. Right-click in the saved log, and select 'copy'. Then proceed to your original thread, unless otherwise instructed and click the '[Reply]' button and paste the saved contents to be reviewed. Do not make any modifications to the log or perform any 'fixes' until told to do so.

SquidVicious · 2007/04/08

New HickJack This log

As requested

Logfile of HijackThis v1.99.1
Scan saved at 8:14:09 PM, on 4/8/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\lsasss.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HJT\HJT.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1b0777ba-bee8-4a3c-89d0-0068a1e225da} - C:\WINDOWS\system32\kbdmap.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\System32\tmp26.tmp.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\iihgfd.dll ",realset
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/21971219142ffd6dae18/netzip/RdxIE601.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: kbdmap - C:\WINDOWS\SYSTEM32\kbdmap.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

Thanks

Squid

TeMerc · 2007/04/09

OK, lets run a special tool and a scanner.

Download combofix.exe

Double click combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Then:
Download AVG Anti-Spyware 7.5 from HERE and save that file to your desktop.
This is a 30 day trial of the program

Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.

Once the setup is complete you will need run ewido and update the definition files.

On the main screen select the icon "Update" then select the "Update now" link.

Next select the [Start Update] button, the update will start and a progress bar will show the updates being installed.

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.

Once in the Settings screen click on "Recommended actions" and then select "Quarantine ".

Under "Reports "

Select "Automatically generate report after every scan "

Un-Select "Only if threats were found "

Close AVG anti-spyware, Do Not run a scan just yet, we will shortly.

Reboot, into safe mode, this way:

Turn on the computer

Immediately begin tapping the <F8> key.

Use the arrow keys to highlight Safe Mode and press the <Enter> key.

IMPORTANT: Do not open any other windows or programs while AVG is scanning, it may interfere with the scanning process.

Launch ewido-anti-spyware by double-clicking the icon on your desktop.

Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan ".

AVG will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:

If you have any infections you will prompted, then select "Apply all actions "

Next select the "Reports" icon at the top.

Select the [Save report as] button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).

Close AVG and reboot your system back into Normal Mode and post the results of the AVG report scan.(Please edit out any cookie, Recyler and System Volume Information Folder references)

Post all 3 logs, from HJT, ComboFix and AVG.

SquidVicious · 2007/04/09

As requested

HJT

Logfile of HijackThis v1.99.1
Scan saved at 7:39:24 AM, on 4/9/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svehost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HJT\HJT.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1b0777ba-bee8-4a3c-89d0-0068a1e225da} - C:\WINDOWS\system32\kbdmap.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\iihgfd.dll ",realset
O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\System32\svehost.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/21971219142ffd6dae18/netzip/RdxIE601.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: kbdmap - C:\WINDOWS\SYSTEM32\kbdmap.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

AVG

--------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:27:42 AM 4/9/2007

+ Scan result:

HKLM\SOFTWARE\AntivirusGold -> Adware.AntiVirusGolden : No action taken.
C:\System Volume Information\_restore{906A4E97-655A-4A67-BE36-833FC7AD32E8}\RP282\A0013509.exe -> Adware.BargainBuddy : No action taken.
C:\System Volume Information\_restore{2FD07B13-CB2A-4118-A107-445EDE99D394}\RP205\A0005300.exe -> Downloader.Agent.awf : No action taken.
C:\System Volume Information\_restore{2FD07B13-CB2A-4118-A107-445EDE99D394}\RP205\A0005301.exe -> Downloader.Agent.awf : No action taken.
C:\System Volume Information\_restore{2FD07B13-CB2A-4118-A107-445EDE99D394}\RP206\A0005303.exe -> Downloader.Agent.awf : No action taken.
C:\System Volume Information\_restore{2FD07B13-CB2A-4118-A107-445EDE99D394}\RP206\A0005304.exe -> Downloader.Agent.awf : No action taken.
C:\System Volume Information\_restore{2FD07B13-CB2A-4118-A107-445EDE99D394}\RP206\A0005305.exe -> Downloader.Agent.awf : No action taken.
C:\System Volume Information\_restore{2FD07B13-CB2A-4118-A107-445EDE99D394}\RP211\A0005322.exe -> Downloader.Agent.awf : No action taken.
C:\System Volume Information\_restore{2FD07B13-CB2A-4118-A107-445EDE99D394}\RP213\A0005696.exe -> Downloader.Agent.awf : No action taken.
C:\System Volume Information\_restore{2FD07B13-CB2A-4118-A107-445EDE99D394}\RP213\A0005697.exe -> Downloader.Agent.awf : No action taken.
C:\WINDOWS\system32\NeroCheck.exe -> Downloader.Agent.awf : No action taken.
C:\WINDOWS\system32\NeroCheck.exe1173276974 -> Downloader.Agent.awf : No action taken.
C:\WINDOWS\system32\NeroCheck.exe1173983932 -> Downloader.Agent.awf : No action taken.
C:\WINDOWS\system32\bak\lsasss.exe -> Downloader.Agent.awf : No action taken.
C:\WINDOWS\system32\lsasss.exe -> Downloader.Agent.awf : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Local Settings\Temp\tmp1.tmp.exe -> Downloader.Agent.bjk : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Local Settings\Temp\tmp266C.tmp.exe -> Downloader.Agent.bjk : No action taken.
C:\WINDOWS\system32\clcl3.exe -> Downloader.Agent.es : No action taken.
C:\WINDOWS\system32\kbdmap.dll -> Downloader.ConHook.an : No action taken.
C:\QooBox\Quarantine\WINDOWS\system32\scrsys16_070407.scr.vir -> Logger.Agent.pn : No action taken.
C:\QooBox\Quarantine\WINDOWS\system32\winsys16_070407.dll.vir -> Logger.Agent.pn : No action taken.
C:\QooBox\Quarantine\WINDOWS\system32\winsys32_070407.dll.vir -> Logger.Agent.pn : No action taken.
C:\System Volume Information\_restore{2FD07B13-CB2A-4118-A107-445EDE99D394}\RP235\A0006318.dll -> Logger.Agent.pn : No action taken.
C:\System Volume Information\_restore{2FD07B13-CB2A-4118-A107-445EDE99D394}\RP236\A0006347.dll -> Logger.Agent.pn : No action taken.
C:\System Volume Information\_restore{2FD07B13-CB2A-4118-A107-445EDE99D394}\RP236\A0006355.dll -> Logger.Agent.pn : No action taken.
C:\System Volume Information\_restore{2FD07B13-CB2A-4118-A107-445EDE99D394}\RP236\A0006356.dll -> Logger.Agent.pn : No action taken.
C:\System Volume Information\_restore{2FD07B13-CB2A-4118-A107-445EDE99D394}\RP236\A0006357.scr -> Logger.Agent.pn : No action taken.
C:\System Volume Information\_restore{2FD07B13-CB2A-4118-A107-445EDE99D394}\RP236\A0006358.dll -> Logger.Agent.pn : No action taken.
C:\System Volume Information\_restore{2FD07B13-CB2A-4118-A107-445EDE99D394}\RP236\A0006363.dll -> Logger.Agent.pn : No action taken.
C:\System Volume Information\_restore{2FD07B13-CB2A-4118-A107-445EDE99D394}\RP236\A0006369.dll -> Logger.Agent.pn : No action taken.
C:\System Volume Information\_restore{2FD07B13-CB2A-4118-A107-445EDE99D394}\RP237\A0006444.scr -> Logger.Agent.pn : No action taken.
C:\System Volume Information\_restore{2FD07B13-CB2A-4118-A107-445EDE99D394}\RP237\A0006445.dll -> Logger.Agent.pn : No action taken.
C:\System Volume Information\_restore{2FD07B13-CB2A-4118-A107-445EDE99D394}\RP237\A0006446.dll -> Logger.Agent.pn : No action taken.
C:\Documents and Settings\DB\Cookies\db@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\DB\Cookies\db@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Dan.123-O348O56RRHK\Cookies\dan@livemercial.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Dan.123-O348O56RRHK\Cookies\dan@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Dan.123-O348O56RRHK\Cookies\dan@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Mary.123-O348O56RRHK\Cookies\mary@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Mary.123-O348O56RRHK\Cookies\mary@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@2o7[2].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@livemercial.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\DB\Cookies\db@abetterinternet[1].txt -> TrackingCookie.Abetterinternet : No action taken.
C:\Documents and Settings\Mary.123-O348O56RRHK\Cookies\mary@adbrite[2].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@adbrite[2].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@ads.addynamix[2].txt -> TrackingCookie.Addynamix : No action taken.
C:\Documents and Settings\DB\Cookies\db@adorigin[1].txt -> TrackingCookie.Adorigin : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@track.adrevolver[2].txt -> TrackingCookie.Adrevolver : No action taken.
C:\Documents and Settings\DB\Cookies\db@dynaserv.ads360[1].txt -> TrackingCookie.Ads360 : No action taken.
C:\Documents and Settings\Dan.123-O348O56RRHK\Cookies\dan@advertising[1].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@advertising[1].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\DB\Cookies\db@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Dan.123-O348O56RRHK\Cookies\dan@atdmt[1].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Mary.123-O348O56RRHK\Cookies\mary@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Mary\Cookies\mary@atdmt[1].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Dan.123-O348O56RRHK\Cookies\dan@bfast[1].txt -> TrackingCookie.Bfast : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@bfast[1].txt -> TrackingCookie.Bfast : No action taken.
C:\Documents and Settings\Mary\Cookies\mary@bluestreak[2].txt -> TrackingCookie.Bluestreak : No action taken.
C:\Documents and Settings\DB\Cookies\db@casalemedia[1].txt -> TrackingCookie.Casalemedia : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@casalemedia[2].txt -> TrackingCookie.Casalemedia : No action taken.
C:\Documents and Settings\Dan.123-O348O56RRHK\Cookies\dan@clickbank[1].txt -> TrackingCookie.Clickbank : No action taken.
C:\Documents and Settings\DB\Cookies\db@ad1.clickhype[2].txt -> TrackingCookie.Clickhype : No action taken.
C:\Documents and Settings\DB\Cookies\db@cz6.clickzs[1].txt -> TrackingCookie.Clickzs : No action taken.
C:\Documents and Settings\DB\Cookies\db@com[1].txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\DB\Cookies\db@com[2].txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@commission-junction[2].txt -> TrackingCookie.Commission-junction : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@connextra[2].txt -> TrackingCookie.Connextra : No action taken.
C:\Documents and Settings\Mary\Cookies\mary@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : No action taken.
C:\Documents and Settings\Dan.123-O348O56RRHK\Cookies\dan@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\Mary.123-O348O56RRHK\Cookies\mary@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\DB\Cookies\db@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Dan.123-O348O56RRHK\Cookies\dan@doubleclick[2].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Mary.123-O348O56RRHK\Cookies\mary@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Mary\Cookies\mary@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\DB\Cookies\db@-1shz2prbmdj6wvny-1sez2pra2dj6wjkoslajcdqq-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@a-1shz2prbmdj6wvny-1sez2pra2dj6wfkywkdpwdoq-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@a-1shz2prbmdj6wvny-1sez2pra2dj6wjk4oiczmgpq-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@a-1shz2prbmdj6wvny-1sez2pra2dj6wjny-1kdzilpgidj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@a-1shz2prbmdj6wvny-1sez2pra2dj6wjny-1nc5skqaudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@a-1shz2prbmdj6wvny-1sez2pra2dj6wjny-1nczkeqasdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@a-1shz2prbmdj6wvny-1sez2pra2dj6wjny-1sbzggqqwdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@e-2dj6wjk4gkcpokp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@e-2dj6wjk4oiczmgp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@e-2dj6wjkockc5wep.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@e-2dj6wjkowocpwep.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@e-2dj6wjkyghajkgo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@e-2dj6wjkysndzgao.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@e-2dj6wjkyuid5ckp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@e-2dj6wjliapazoco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@e-2dj6wjliuldzibo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@e-2dj6wjlokhazkgo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@e-2dj6wjlyuhazsdq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@e-2dj6wjmikoazkgo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@e-2dj6wjny-1ldpac.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@e-2dj6wjny-1nczke.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@e-2dj6wjnyoocpako.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@y-1shz2prbmdj6wvny-1sez2pra2dj6wfk4ohdpwapwwdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@y-1shz2prbmdj6wvny-1sez2pra2dj6wfk4wmdpoaogsdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkiqmdzwfpqmdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkisodzkaowmdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkoemcpgeqq6dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkykidzihoqidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4cjajklpwudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4gkcpokpaudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4kgd5wkpa2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkokjcjmaog2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyendjwlpqsdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkykjcjaepaidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyoiazmcpq2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@y-1shz2prbmdj6wvny-1sez2pra2dj6wjliehczsdqamdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@y-1shz2prbmdj6wvny-1sez2pra2dj6wjliqlajoaoa2dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlishdpsgoqwdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@y-1shz2prbmdj6wvny-1sez2pra2dj6wjloaoczghog6dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlocgcjoeqaydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlyencjmkqawdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlyuidpshoaydj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmykld5kdogqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnycpd5ohqa2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyehczwcogidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyencpeaqa6dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnygjajobpasdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyokdjsapqmdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyomd5scoqsdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyqidjodogydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyqidjodogydj6x9ny-1seq-2-2.stats.esomniture[3].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\DB\Cookies\db@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyukd5ecogudj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Mary.123-O348O56RRHK\Cookies\mary@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\Dan.123-O348O56RRHK\Cookies\dan@fastclick[1].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Mary.123-O348O56RRHK\Cookies\mary@fastclick[2].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@fastclick[1].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@findwhat[1].txt -> TrackingCookie.Findwhat : No action taken.
C:\Documents and Settings\Dan.123-O348O56RRHK\Cookies\dan@ehg-pcsecurityshield.hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Dan.123-O348O56RRHK\Cookies\dan@ehg-theviptour.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Dan.123-O348O56RRHK\Cookies\dan@hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Mary.123-O348O56RRHK\Cookies\mary@ehg-talbots.hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Mary.123-O348O56RRHK\Cookies\mary@hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@ehg-theviptour.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@ehg-yellowpages.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\DB\Cookies\db@ivwbox[1].txt -> TrackingCookie.Ivwbox : No action taken.
C:\Documents and Settings\DB\Cookies\db@ads.link4ads[2].txt -> TrackingCookie.Link4ads : No action taken.
C:\Documents and Settings\Dan.123-O348O56RRHK\Cookies\dan@search.live[1].txt -> TrackingCookie.Live : No action taken.
C:\Documents and Settings\Dan.123-O348O56RRHK\Cookies\dan@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : No action taken.
C:\Documents and Settings\Mary\Cookies\mary@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : No action taken.
C:\Documents and Settings\Dan.123-O348O56RRHK\Cookies\dan@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Mary.123-O348O56RRHK\Cookies\mary@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Mary\Cookies\mary@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\DB\Cookies\db@search.msn[2].txt -> TrackingCookie.Msn : No action taken.
C:\Documents and Settings\Mary.123-O348O56RRHK\Cookies\mary@search.msn[2].txt -> TrackingCookie.Msn : No action taken.
C:\Documents and Settings\Mary\Cookies\mary@search.msn[1].txt -> TrackingCookie.Msn : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : No action taken.
C:\Documents and Settings\DB\Cookies\db@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@perf.overture[1].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\DB\Cookies\db@www.paypal[1].txt -> TrackingCookie.Paypal : No action taken.
C:\Documents and Settings\DB\Cookies\db@www.paypal[2].txt -> TrackingCookie.Paypal : No action taken.
C:\Documents and Settings\DB\Cookies\db@preferences[2].txt -> TrackingCookie.Preferences : No action taken.
C:\Documents and Settings\Mary.123-O348O56RRHK\Cookies\mary@questionmarket[1].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@questionmarket[2].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\DB\Cookies\db@guide.real[1].txt -> TrackingCookie.Real : No action taken.
C:\Documents and Settings\DB\Cookies\db@home.real[1].txt -> TrackingCookie.Real : No action taken.
C:\Documents and Settings\DB\Cookies\db@realguide.real[1].txt -> TrackingCookie.Real : No action taken.
C:\Documents and Settings\DB\Cookies\db@realguide.real[2].txt -> TrackingCookie.Real : No action taken.
C:\Documents and Settings\DB\Cookies\db@www.real[1].txt -> TrackingCookie.Real : No action taken.
C:\Documents and Settings\DB\Cookies\db@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@realmedia[2].txt -> TrackingCookie.Realmedia : No action taken.
C:\Documents and Settings\Dan.123-O348O56RRHK\Cookies\dan@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : No action taken.
C:\Documents and Settings\DB\Cookies\db@revsci[2].txt -> TrackingCookie.Revsci : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@revsci[2].txt -> TrackingCookie.Revsci : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@edge.ru4[2].txt -> TrackingCookie.Ru4 : No action taken.
C:\Documents and Settings\DB\Cookies\db@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : No action taken.
C:\Documents and Settings\DB\Cookies\db@statcounter[1].txt -> TrackingCookie.Statcounter : No action taken.
C:\Documents and Settings\Dan.123-O348O56RRHK\Cookies\dan@statcounter[2].txt -> TrackingCookie.Statcounter : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@statcounter[2].txt -> TrackingCookie.Statcounter : No action taken.
C:\Documents and Settings\Mary.123-O348O56RRHK\Cookies\mary@anad.tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Mary.123-O348O56RRHK\Cookies\mary@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\DB\Cookies\db@tfag[2].txt -> TrackingCookie.Tfag : No action taken.
C:\Documents and Settings\Dan.123-O348O56RRHK\Cookies\dan@login.tracking101[1].txt -> TrackingCookie.Tracking101 : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@login.tracking101[2].txt -> TrackingCookie.Tracking101 : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@trafficmp[2].txt -> TrackingCookie.Trafficmp : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@webstat[1].txt -> TrackingCookie.Web-stat : No action taken.
C:\Documents and Settings\DB\Cookies\db@m.webtrends[2].txt -> TrackingCookie.Webtrends : No action taken.
C:\Documents and Settings\Dan.123-O348O56RRHK\Cookies\dan@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : No action taken.
C:\Documents and Settings\Mary.123-O348O56RRHK\Cookies\mary@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : No action taken.
C:\Documents and Settings\DB\Cookies\db@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\DB\Cookies\db@ad.yieldmanager[3].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\DB\Cookies\db@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Cookies\db@zedo[2].txt -> TrackingCookie.Zedo : No action taken.
C:\System Volume Information\_restore{2FD07B13-CB2A-4118-A107-445EDE99D394}\RP235\A0006314.dll -> Trojan.Agent.agv : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Local Settings\Temp\tmp19.tmp.exe -> Trojan.Small : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Local Settings\Temp\tmp266D.tmp.exe -> Trojan.Small : No action taken.
C:\Documents and Settings\db.123-O348O56RRHK\Local Settings\Temp\tmp2678.tmp.exe -> Trojan.Small : No action taken.

::Report end

SquidVicious · 2007/04/09

Combo Fix

Combo Fix

ComboFix 07-04-05 - Running from: "C:\Documents and Settings\Dan.123-O348O56RRHK\Desktop "

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\AlxRes070407.exe
C:\WINDOWS\system32\scrsys070407.scr
C:\WINDOWS\system32\scrsys16_070407.scr
C:\WINDOWS\system32\winsys16_070407.dll
C:\WINDOWS\system32\winsys32_070407.dll
C:\WINDOWS\system32\tmp26.tmp.dll
C:\WINDOWS\system32\tmp2678.tmp.dll
C:\Program Files\install.log
C:\WINDOWS\system32\mywebhit.ini
C:\WINDOWS\system32\mywebhit.ini.tmp
C:\WINDOWS\mywinsys.ini

((((((((((((((((((((((((((((((( Files Created from 2007-03-09 to 2007-04-09 ))))))))))))))))))))))))))))))))))

2007-04-09 05:47 <DIR> d---s---- C:\DOCUME~1\DAN~1.123\UserData
2007-04-09 01:19 73,728 --a------ C:\WINDOWS\system32\svehost.exe
2007-04-09 01:19 204,288 --a------ C:\WINDOWS\system32\clcl3.exe
2007-04-08 19:17 <DIR> d-------- C:\Program Files\HJT
2007-04-08 06:41 106,767 --a------ C:\WINDOWS\iihgfd.dll
2007-04-07 20:59 106 --a------ C:\delete.bat
2007-04-07 20:50 <DIR> d-------- C:\VundoFix Backups
2007-04-07 20:42 <DIR> d-------- C:\DOCUME~1\DAN~1.123\APPLIC~1\Google
2007-04-07 20:42 <DIR> d-------- C:\DOCUME~1\DAN~1.123\APPLIC~1\Adobe
2007-04-07 20:24 97,280 --a------ C:\VundoFix.exe
2007-04-02 16:25 19,275 --a------ C:\WINDOWS\system32\kbdmap.dll
2007-03-27 03:42 <DIR> d-------- C:\DOCUME~1\MARY~1.123\APPLIC~1\Google
2007-03-27 03:42 <DIR> d-------- C:\DOCUME~1\MARY~1.123\APPLIC~1\Adobe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-03-15 11:37 37492 --a------ C:\WINDOWS\system32\nerocheck.exe
2007-03-15 11:37 37492 --a------ C:\WINDOWS\system32\lsasss.exe
2007-02-27 09:52 -------- d-------- C:\Program Files\messenger
2007-02-22 08:10 -------- d-------- C:\DOCUME~1\DAN~1.123\APPLIC~1\real

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroFilterCheck "= "C:\\WINDOWS\\system32\\NeroCheck.exe "
"Lexmark_X79-55 "= "C:\\WINDOWS\\System32\\lsasss.exe "
"BootService "= "rundll32.exe \ "C:\\WINDOWS\\iihgfd.dll\ ",realset "
"Intel system tool "= "C:\\WINDOWS\\System32\\svehost.exe "
"clcl3 "= "C:\\WINDOWS\\System32\\clcl3.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"clcl "= "command.com /c del C:\\WINDOWS\\System32\\clcl.exe "

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kbdmap

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-09 5:55:50
C:\ComboFix-quarantined-files.txt ... 07-04-09 05:55

TeMerc · 2007/04/09

Ok, looks to be an AWF infection.

Please click here select Save. Save FindAWF to your desktop.

Double Click FindAWF.exe and let it run, it will create the file awf.txt on your desktop when finished.

Open awf.txt in notepad, select Edit> Select All> Edit> Copy> and Paste the contents.
Please click here[ select Save. Save FindAWF to your desktop.

Double Click FindAWF.exe and let it run, it will create the file awf.txt on your desktop when finished.

Open awf.txt in notepad, select Edit> Select All> Edit> Copy> and Paste the contents.

SquidVicious · 2007/04/09

AWF as requested

ind AWF report by noahdfear ©2006

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

02/27/2007 09:51 AM 36,493 lsasss.exe
07/09/2001 11:50 AM 155,648 NeroCheck.exe
2 File(s) 192,141 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

02/21/2007 11:58 AM 185,896 realsched.exe
1 File(s) 185,896 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

36493 Feb 27 2007 "C:\WINDOWS\system32\bak\lsasss.exe "
36493 Feb 27 2007 "C:\WINDOWS\system32\NeroCheck.exe1173276974 "
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe "
185896 Feb 21 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe "

end of report

TeMerc · 2007/04/10

OK, I'm getting some assiatnace on this, as it's a bit complex, requiring some custom batch file work and special tools to reset things back to what they ought to be.

Download Atribunes ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.

Tick the following boxes

Windows Temp

Current User Temp

All User Temp

Cookies<<<---By deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

Temporary Internet Files

History

Prefetch

Java Cache

Don't do anything yet.

2.) Download Deledomains and place it on desktop.

Do nothing with it yet.

3.) Download: ResetProtocolDefaults.reg

Copy the code below to a blank notepad. Make sure the formatting stays the same. Save it to the desktop, but don't do anything yet with it.
Filename: FixAWF.bat
Save As Type: All Files (*.*)
Code:
@echo off
del /f  "C:\WINDOWS\system32\NeroCheck.exe1173276974 "
copy  "C:\WINDOWS\system32\bak\NeroCheck.exe"  "C:\Windows\system32 "
del /f  "C:\WINDOWS\system32\bak\lsasss.exe "
copy  "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"  "C:\Program Files\Common Files\Real\Update_OB "
rd /s /q C:\PROGRA~1\MESSEN~1\BAK
rd /s /q C:\Windows\System32\Bak
rd /s /q C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
Now, back to ATF Cleaner, click the [Empty Selected] button. Once that is done, exit the program.

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

3.) Locate ResetProtocolDefaults.reg
Right click it, choose merge
Answer Yes & OK.

This resets IE security settings to default.

4.) Locate DelDomains.inf
Right click it, choose install

You will see nothing happening. Once Hourglass is gone--it is done.

This removes the bad trusted domains added to your IE trusted zone.

5.) Locate fixawf.bat
Double click it and let it run.
A "dos" box will flash up & dissapear. Normal

This deletes the infected files and replaces them with the backups.

6.) Open Internet Options in your control panel
Click "connections" tab.

If you see Broadcaster, delete it.

While still in 'Safe Mode', run HJT, and place a check next to the following lines, then, with all browsers and windows closed, hit 'Fix checked':

O2 - BHO: (no name) - {1b0777ba-bee8-4a3c-89d0-0068a1e225da} - C:\WINDOWS\system32\kbdmap.dll

O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\iihgfd.dll ",realset

O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\System32\svehost.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/21971219...p/RdxIE601.cab

O20 - AppInit_DLLs:

O20 - Winlogon Notify: kbdmap - C:\WINDOWS\SYSTEM32\kbdmap.dll

Reboot the system, let me know of any ongoing problems and post a fresh HJT log please.

SquidVicious · 2007/04/10

As requested HJT log

Logfile of HijackThis v1.99.1
Scan saved at 5:40:38 AM, on 4/10/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\program files\internet explorer\iexplore.exe
C:\Program Files\HJT\HJT.exe
C:\WINDOWS\system32\NOTEPAD.EXE

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,rundll32.exe C:\WINDOWS\System32\winsys16_070409.dll start
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

The computer seems to be running more normally however AVG has popped up a warning twice when I started IE referring to a LoggerAgent.pn

Thanks

Squid

TeMerc · 2007/04/10

Lets get another ComboFix log please, thanks.

SquidVicious · 2007/04/12

As requested ComboFix log

ComboFix 07-04-05 - Running from: "C:\Documents and Settings\Dan.123-O348O56RRHK\Desktop "

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\AlxRes070412.exe
C:\WINDOWS\system32\scrsys070412.scr
C:\WINDOWS\system32\scrsys16_070412.scr
C:\WINDOWS\system32\winsys16_070412.dll
C:\WINDOWS\system32\winsys32_070412.dll
C:\WINDOWS\system32\mywebhit.ini
C:\WINDOWS\system32\mywebhit.ini.tmp
C:\WINDOWS\mywinsys.ini
C:\WINDOWS\hitpop_tmp.txt

((((((((((((((((((((((((((((((( Files Created from 2007-03-12 to 2007-04-12 ))))))))))))))))))))))))))))))))))

2007-04-11 05:53 36,528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-04-11 05:53 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-04-11 05:53 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-04-11 05:53 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-04-11 05:53 115,880 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-04-11 05:52 <DIR> d-------- C:\WINDOWS\LastGood
2007-04-10 05:37 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-04-09 05:57 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-09 05:47 <DIR> d---s---- C:\DOCUME~1\DAN~1.123\UserData
2007-04-09 01:19 73,728 --a------ C:\WINDOWS\system32\svehost.exe
2007-04-08 19:17 <DIR> d-------- C:\Program Files\HJT
2007-04-08 06:41 106,767 --a------ C:\WINDOWS\iihgfd.dll
2007-04-07 20:59 106 --a------ C:\delete.bat
2007-04-07 20:50 <DIR> d-------- C:\VundoFix Backups
2007-04-07 20:42 <DIR> d-------- C:\DOCUME~1\DAN~1.123\APPLIC~1\Google
2007-04-07 20:42 <DIR> d-------- C:\DOCUME~1\DAN~1.123\APPLIC~1\Adobe
2007-04-07 20:24 97,280 --a------ C:\VundoFix.exe
2007-03-27 03:42 <DIR> d-------- C:\DOCUME~1\MARY~1.123\APPLIC~1\Google
2007-03-27 03:42 <DIR> d-------- C:\DOCUME~1\MARY~1.123\APPLIC~1\Adobe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-11 05:53 -------- d-------- C:\Program Files\winamp
2007-02-27 09:52 -------- d-------- C:\Program Files\messenger
2007-02-22 08:10 -------- d-------- C:\DOCUME~1\DAN~1.123\APPLIC~1\real

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"!AVG Anti-Spyware "= "\ "C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized "
"WinampAgent "= "C:\\Program Files\\Winamp\\winampa.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "AVG Anti-Spyware 7.5 "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-12 18:51:14
C:\ComboFix-quarantined-files.txt ... 07-04-12 18:51
C:\ComboFix2.txt ... 07-04-09 05:55

TeMerc · 2007/04/14

Download the Killbox from here and save it to the desktop.

Double-click the KillBox icon on your desktop to open it

Select "Delete on Reboot "

Then select "All files ".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\svehost.exe
C:\WINDOWS\iihgfd.dll

Return to Killbox

Go to the File menu, and choose "Paste from Clipboard ".

Click the red-and-white [Delete File] button.

Click "Yes" at the Delete on Reboot prompt. Click "No" at the 'Pending Operations' prompt.

Reboot and run ComboFix first, then HJT and post both logs back into this thread.

Log in or Sign up

Broadcaster Virus/Trojan

SquidVicious Inactive Thread Starter

TeMerc Inactive Alumni

SquidVicious Inactive Thread Starter

TeMerc Inactive Alumni

SquidVicious Inactive Thread Starter

SquidVicious Inactive Thread Starter

TeMerc Inactive Alumni

SquidVicious Inactive Thread Starter

TeMerc Inactive Alumni

SquidVicious Inactive Thread Starter

TeMerc Inactive Alumni

SquidVicious Inactive Thread Starter

TeMerc Inactive Alumni

Share This Page

Log in or Sign up

Broadcaster Virus/Trojan

SquidVicious Inactive Thread Starter

TeMerc Inactive Alumni

SquidVicious Inactive Thread Starter

TeMerc Inactive Alumni

SquidVicious Inactive Thread Starter

SquidVicious Inactive Thread Starter

TeMerc Inactive Alumni

SquidVicious Inactive Thread Starter

TeMerc Inactive Alumni

SquidVicious Inactive Thread Starter

TeMerc Inactive Alumni

SquidVicious Inactive Thread Starter

TeMerc Inactive Alumni

Share This Page

Useful Searches