TechSpot

IC8D1A13...infection

Solved
By randy
Jul 12, 2012
  1. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it.
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Do NOT post JavaRa log.

    =============================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
     
  2. randy

    randy TS Rookie Topic Starter Posts: 79

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Guest
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: LogMeInRemoteUser
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LogMeInRemoteUser.RANDY
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Randy Enns
    ->Temp folder emptied: 1349982 bytes
    ->Temporary Internet Files folder emptied: 35920 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 46166126 bytes
    ->Apple Safari cache emptied: 0 bytes
    ->Flash cache emptied: 456 bytes

    User: Tana
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Tana Lynn
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 48262 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 762617 bytes

    Total Files Cleaned = 46.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Default User

    User: Guest

    User: LocalService

    User: LogMeInRemoteUser

    User: LogMeInRemoteUser.RANDY

    User: NetworkService
    ->Flash cache emptied: 0 bytes

    User: Randy Enns
    ->Flash cache emptied: 0 bytes

    User: Tana

    User: Tana Lynn
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    [EMPTYJAVA]

    User: Administrator

    User: All Users

    User: Default User

    User: Guest

    User: LocalService

    User: LogMeInRemoteUser

    User: LogMeInRemoteUser.RANDY

    User: NetworkService
    ->Java cache emptied: 0 bytes

    User: Randy Enns
    ->Java cache emptied: 0 bytes

    User: Tana

    User: Tana Lynn
    ->Java cache emptied: 0 bytes

    Total Java Files Cleaned = 0.00 mb

    Unable to start System Restore Service. Error code 10

    OTL by OldTimer - Version 3.2.54.0 log created on 07212012_112008

    Files\Folders moved on Reboot...

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
     
  3. Broni

    Broni Malware Annihilator Posts: 47,015   +255

     
  4. randy

    randy TS Rookie Topic Starter Posts: 79

    I am doing the remaining items...however on boot up this morning the same AVG window with the backdoor trojan appeared
    should I delete all tools and logs or will we ned them?
     
  5. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    Did you allow AVG to fix the issue?

    It's all in my previous reply.
     
  6. randy

    randy TS Rookie Topic Starter Posts: 79

    I let avg move it to the vault (recommended) and another appears and another and another...??
     
  7. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    Is it always same name/same location?
     
  8. randy

    randy TS Rookie Topic Starter Posts: 79

    no...C:\windows\system32\various.dll
     
  9. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  10. randy

    randy TS Rookie Topic Starter Posts: 79

    ok broni...but I will be in and out of the huse working outside so my replies may be sporadic...thnx man
     
  11. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    No problem :)
     
     
  12. randy

    randy TS Rookie Topic Starter Posts: 79

    how do you disable script blocking?
     
  13. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    Don't worry about it.
    You must uninstall AVG though in order to run Combofix.
    Use the tool mentioned in my instructions.
     
  14. randy

    randy TS Rookie Topic Starter Posts: 79

    I think I disabled rather than removed av on the first go around...my bad
     
  15. randy

    randy TS Rookie Topic Starter Posts: 79

    ComboFix 12-07-21.01 - Randy Enns 07/21/2012 13:09:10.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1168 [GMT -5:00]
    Running from: c:\documents and settings\Randy Enns\My Documents\Downloads\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-21 to 2012-07-21 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-21 16:11 . 2012-07-21 16:11 -------- d-----w- c:\program files\Common Files\Java
    2012-07-21 16:10 . 2012-07-21 16:10 -------- d-----w- c:\program files\Oracle
    2012-07-21 16:10 . 2012-07-21 16:10 -------- d-----w- c:\documents and settings\Randy Enns\Application Data\Oracle
    2012-07-21 16:10 . 2012-07-06 03:06 772544 ----a-w- c:\windows\system32\npDeployJava1.dll
    2012-07-21 02:22 . 2012-07-21 02:22 -------- d-----w- c:\program files\ESET
    2012-07-20 01:53 . 2008-04-13 15:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
    2012-07-20 01:53 . 2008-04-13 15:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
    2012-07-19 01:16 . 2012-07-19 01:16 -------- d-----w- c:\documents and settings\Randy Enns\Application Data\Malwarebytes
    2012-07-19 01:15 . 2012-07-19 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-07-19 01:15 . 2012-07-19 01:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-07-19 01:15 . 2012-07-03 18:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-07-11 20:16 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
    2012-07-11 19:07 . 2012-07-11 19:07 -------- d-----w- C:\3359bb307089d46d58a69cb8
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-06 03:07 . 2011-07-25 21:47 143872 ----a-w- c:\windows\system32\javacpl.cpl
    2012-07-06 03:06 . 2011-07-25 21:47 687544 -c--a-w- c:\windows\system32\deployJava1.dll
    2012-06-13 13:19 . 2006-01-29 21:54 1866112 ------w- c:\windows\system32\win32k.sys
    2012-06-05 15:50 . 2008-09-22 02:08 1372672 ------w- c:\windows\system32\msxml6.dll
    2012-06-05 15:50 . 2006-01-29 21:54 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2012-06-04 04:32 . 2006-01-29 21:54 152576 ----a-w- c:\windows\system32\schannel.dll
    2012-06-02 19:19 . 2007-06-23 15:02 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
    2012-06-02 19:19 . 2007-06-23 15:02 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
    2012-06-02 19:19 . 2006-01-29 23:08 329240 ----a-w- c:\windows\system32\wucltui.dll
    2012-06-02 19:19 . 2006-01-29 23:08 210968 ----a-w- c:\windows\system32\wuweb.dll
    2012-06-02 19:19 . 2006-01-29 23:08 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
    2012-06-02 19:19 . 2007-06-23 15:02 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
    2012-06-02 19:19 . 2006-01-29 23:08 53784 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 19:19 . 2006-01-29 23:08 35864 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 19:19 . 2006-01-29 21:54 97304 ----a-w- c:\windows\system32\cdm.dll
    2012-06-02 19:19 . 2005-05-26 12:16 45080 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 19:19 . 2007-06-23 15:02 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
    2012-06-02 19:19 . 2006-01-29 23:08 577048 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 19:19 . 2006-01-29 23:08 1933848 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 19:18 . 2007-10-15 15:19 275696 ----a-w- c:\windows\system32\mucltui.dll
    2012-06-02 19:18 . 2007-10-15 15:19 214256 ----a-w- c:\windows\system32\muweb.dll
    2012-06-02 19:18 . 2007-10-15 15:19 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
    2012-05-31 13:22 . 2006-01-29 21:54 599040 ----a-w- c:\windows\system32\crypt32.dll
    2012-05-16 15:08 . 2006-01-29 21:54 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-05-11 14:42 . 2006-01-29 21:54 43520 ------w- c:\windows\system32\licmgr10.dll
    2012-05-11 14:42 . 2006-01-29 21:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2012-05-11 11:38 . 2006-01-29 21:54 385024 ------w- c:\windows\system32\html.iec
    2012-05-04 13:16 . 2006-01-29 21:54 2148352 ------w- c:\windows\system32\ntoskrnl.exe
    2012-05-04 12:32 . 2004-08-03 22:59 2026496 ------w- c:\windows\system32\ntkrnlpa.exe
    2012-05-02 13:46 . 2006-01-29 23:05 139656 ------w- c:\windows\system32\drivers\rdpwd.sys
    2012-07-17 22:35 . 2012-07-12 21:00 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c}]
    2011-05-30 13:48 87480 ----a-w- c:\progra~1\BEARSH~1\MediaBar\Datamngr\ToolBar\bsdtxmltbpi.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c}"= "c:\progra~1\BEARSH~1\MediaBar\Datamngr\ToolBar\bsdtxmltbpi.dll" [2011-05-30 87480]
    .
    [HKEY_CLASSES_ROOT\clsid\{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2006-05-04 16206848]
    "NDSTray.exe"="NDSTray.exe" [BU]
    "TFncKy"="TFncKy.exe" [BU]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 761948]
    "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-01 7557120]
    "NVRotateSysTray"="c:\windows\system32\nvsysrot.dll" [2006-05-01 49152]
    "TPSMain"="TPSMain.exe" [2005-06-01 282624]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-06 421888]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
    .
    c:\documents and settings\Randy Enns\Start Menu\Programs\Startup\
    Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Device Monitor 3.lnk - c:\program files\PIXELA\Everio MediaBrowser 3\MBCameraMonitor.exe [2011-10-22 542064]
    RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-1-29 155648]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
    2010-02-23 18:55 147832 ----a-w- c:\program files\Citrix\GoToAssist Express Customer\209\g2ax_winlogon.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FTPVoyager.exe"=
    "c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FVScheduler.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\BearShare Applications\\MediaBar\\Datamngr\\ToolBar\\dtUser.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    .
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/18/2012 8:15 PM 655944]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/18/2012 8:15 PM 22344]
    S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2/5/2011 5:42 PM 374152]
    S3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\Citrix\GoToAssist Express Customer\209\g2ax_service.exe [2/23/2010 1:56 PM 161144]
    S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [7/12/2012 4:00 PM 113120]
    S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [11/4/2011 12:26 PM 18432]
    S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe" --> c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe [?]
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    NETSVCS REQUIRES REPAIRS - current entries shown
    6to4
    AppMgmt
    AudioSrv
    Browser
    CryptSvc
    DMServer
    DHCP
    ERSvc
    EventSystem
    FastUserSwitchingCompatibility
    HidServ
    Ias
    Iprip
    Irmon
    LanmanServer
    LanmanWorkstation
    Messenger
    Netman
    Nla
    Ntmssvc
    NWCWorkstation
    Nwsapagent
    Rasauto
    Rasman
    usbcm
    btfirst
    kerbkey
    ssm_mdfl
    s116bus
    lgsnd_filter
    captureservice
    d-link_st3402
    ss_bus
    symidsco
    procdd
    UxTuneUp
    JRAID
    mclogmanagerservice
    btwdins
    sqlagent$sony_mediamgr
    X10UIF
    raysatxsi5_0server
    dphost
    McciCMService
    mcdetect.exe
    REVO
    backupexecalertserver
    ps2
    UVCFTR
    REVOSENS
    igniteservice.exe
    tunnelguardservice
    mozyFilter
    avinitnt
    tomcatcws3
    FINEPIX_PCC
    sqlagent$soshome22
    hwpsgt
    gdihook5
    se58mdfl
    mrvw245
    mwssched
    ssmdrv
    srtspx
    ccalib8
    cpqfws2e
    qbposdbservices
    hnmsvc
    oracle_load_balancer_60_client-forms6ip9
    winpower
    cpqdfw
    wcontrol
    WmXlCore
    obvious
    se44mdfl
    superproserver
    adfs
    MSMQ
    TPECioCtl
    pdlncfwk
    roxupnprenderer
    aamqdispatcher
    vxsvc
    mbr
    iaimfp4
    se44bus
    sdhelper
    s616obex
    k750bus
    symndis
    RapiMgr
    pdlnemap
    ufad-ws60
    uploadmgr
    Defrag32b
    BoiHwsetup
    YahooAUService
    SNTIE
    SiSRaid2
    ATMsrvc
    retroexplauncher
    parallel
    w810bus
    btkrnl
    mcafeeframework
    websenseclientdeployservice
    mwstick
    s616mdfl
    mssql$microsoftsmlbiz
    adihdaudaddservice
    se58bus
    MSICPL
    lxct_device
    PID_08A0
    cvspydr2
    datunidr
    dot4ufd
    w300mdm
    KR10N
    tb2launch
    ZDCNDIS5
    rnadirectory
    amfilter
    kodakccs
    Remoteaccess
    Schedule
    Seclogon
    SENS
    Sharedaccess
    SRService
    Tapisrv
    Themes
    TrkWks
    W32Time
    WZCSVC
    Wmi
    WmdmPmSp
    winmgmt
    wscsvc
    xmlprov
    MHN
    BITS
    wuauserv
    ShellHWDetection
    helpsvc
    WmdmPmSN
    napagent
    hkmsvc
    TermService
    ip6fwhlp
    sacsvr
    trksvr
    .
    Rebuilding ... You need to reboot your machine for this to take effect.
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-07-25 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 20:34]
    .
    2012-07-21 c:\windows\Tasks\DriverScanner.job
    - c:\program files\Uniblue\DriverScanner\dsmonitor.exe [2011-07-25 18:22]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://search.bearshare.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\documents and settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://canuckscorner.com/
    FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2438727&q=
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{74322BF9-DF26-493f-B0DA-6D2FC5E6429E} - c:\progra~1\BEARSH~1\MediaBar\Datamngr\IEBHO.dll
    WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
    HKLM-Run-DATAMNGR - c:\progra~1\BEARSH~1\MediaBar\Datamngr\DATAMN~1.EXE
    HKLM-Run-HF_G_Jul - c:\program files\AVG Secure Search\HF_G_Jul.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-07-21 13:14
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(884)
    c:\program files\Citrix\GoToAssist Express Customer\209\g2ax_winlogon.dll
    .
    - - - - - - - > 'explorer.exe'(2252)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\windows\system32\TPwrCfg.DLL
    c:\windows\system32\TPwrReg.dll
    c:\windows\system32\TPSTrace.DLL
    .
    Completion time: 2012-07-21 13:16:23
    ComboFix-quarantined-files.txt 2012-07-21 18:16
    .
    Pre-Run: 114,936,315,904 bytes free
    Post-Run: 114,912,043,008 bytes free
    .
    - - End Of File - - 18F24D9E26477051EB7B16AC2E85F938
     
  16. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    Nothing malicious there.

    Reinstall AVG, update it, run full scan and let me know what it reports.
     
  17. randy

    randy TS Rookie Topic Starter Posts: 79

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 07/21/2012 at 13:27:36.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:



    Rkill completed on 07/21/2012 at 13:27:40.
     
  18. randy

    randy TS Rookie Topic Starter Posts: 79

    running new / updated AVG whole computer scan..going outside for a while will report back
     
  19. randy

    randy TS Rookie Topic Starter Posts: 79

    "Scan ""Scan whole computer"" was finished."
    "Warnings";"35"
    "Folders selected for scanning:";"Scan whole computer"
    "Scan started:";"Saturday, July 21, 2012, 1:56:53 PM"
    "Scan finished:";"Saturday, July 21, 2012, 3:13:42 PM (1 hour(s) 16 minute(s) 48 second(s))"
    "Total object scanned:";"658560"
    "User who launched the scan:";"Randy Enns"

    "Warnings"
    "File";"Infection";"Result"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite";"Found Tracking cookie.Realmedia";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\casalemedia.com.12e6c053";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\casalemedia.com.1773afc";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\casalemedia.com.1e1e0e23";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\casalemedia.com.2d37ad26";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\casalemedia.com.350339d4";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\casalemedia.com.987e6b46";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\casalemedia.com.80ad4799";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\casalemedia.com.9aa52eb1";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\liveperson.net.8db0737c";"Found Tracking cookie.Liveperson";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\liveperson.net.8db0737c";"Found Tracking cookie.Liveperson";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\pro-market.net.1d1ba569";"Found Tracking cookie.Pro-market";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\pro-market.net.266912e2";"Found Tracking cookie.Pro-market";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\casalemedia.com.8c65eddd";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\casalemedia.com.fb62dd4b";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\pro-market.net.bbf67f2d";"Found Tracking cookie.Pro-market";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\revsci.net.1d1a4fbf";"Found Tracking cookie.Revsci";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\revsci.net.1ecc4d24";"Found Tracking cookie.Revsci";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\pro-market.net.e3b25da3";"Found Tracking cookie.Pro-market";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\realmedia.com.125a868c";"Found Tracking cookie.Realmedia";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\realmedia.com.e14be39e";"Found Tracking cookie.Realmedia";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\revsci.net.3983b30a";"Found Tracking cookie.Revsci";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\pro-market.net.679dd108";"Found Tracking cookie.Pro-market";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\revsci.net.46bdaf68";"Found Tracking cookie.Revsci";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\revsci.net.50e13b1b";"Found Tracking cookie.Revsci";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\revsci.net.55564293";"Found Tracking cookie.Revsci";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\realmedia.com.855b46d";"Found Tracking cookie.Realmedia";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\revsci.net.8642c85d";"Found Tracking cookie.Revsci";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\serving-sys.com.176b0dad";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\serving-sys.com.4cd8c2e9";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\serving-sys.com.a222cbcd";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\serving-sys.com.bb39fa8c";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\serving-sys.com.db46cecc";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Mozilla\Firefox\Profiles\fjj6xe7h.default\cookies.sqlite:\tacoda.net.90e15025";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
    "C:\Documents and Settings\Randy Enns\Application Data\Opera\Opera\profile\cookies4.dat";"Found Tracking cookie.Atdmt";"Healed"
    "C:\Documents and Settings\Randy Enns\Application Data\Opera\Opera\profile\cookies4.dat:\atdmt.com.7247c262";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
    "C:\Documents and Settings\Randy Enns\Application Data\Opera\Opera\profile\cookies4.dat:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
    "C:\Documents and Settings\Randy Enns\Application Data\Opera\Opera\profile\cookies4.dat:\mediaplex.com.dc30fb3c";"Found Tracking cookie.Mediaplex";"Moved to Virus Vault"
    "C:\Documents and Settings\Randy Enns\Application Data\Opera\Opera\profile\cookies4.dat:\mediaplex.com.f652b123";"Found Tracking cookie.Mediaplex";"Moved to Virus Vault"
    "C:\Documents and Settings\Randy Enns\Application Data\Opera\Opera\profile\cookies4.dat:\questionmarket.com.3eb5a9f1";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
    "C:\Documents and Settings\Randy Enns\Application Data\Opera\Opera\profile\cookies4.dat:\questionmarket.com.4dd5e426";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
    "C:\Documents and Settings\Randy Enns\Application Data\Opera\Opera\profile\cookies4.dat:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "C:\Documents and Settings\Randy Enns\Application Data\Opera\Opera\profile\cookies4.dat:\revsci.net.18a1d1b2";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "C:\Documents and Settings\Randy Enns\Application Data\Opera\Opera\profile\cookies4.dat:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "C:\Documents and Settings\Randy Enns\Application Data\Opera\Opera\profile\cookies4.dat:\revsci.net.ef372106";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite";"Found Tracking cookie.Advertising";"Healed"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\2o7.net.62e7ac24";"Found Tracking cookie.2o7";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\2o7.net.655c18b5";"Found Tracking cookie.2o7";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\ad.yieldmanager.com.557bf2b0";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\ad.yieldmanager.com.8a47878";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\ad.yieldmanager.com.830b6f08";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\ad.yieldmanager.com.b68f2b7b";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\ad.yieldmanager.com.e626e6be";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\2o7.net.7130ef3";"Found Tracking cookie.2o7";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\2o7.net.7295933d";"Found Tracking cookie.2o7";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\ad.yieldmanager.com.9ffdf2e7";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\ad.yieldmanager.com.ff92306";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\adbrite.com.215df2f3";"Found Tracking cookie.Adbrite";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\adbrite.com.37283d89";"Found Tracking cookie.Adbrite";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\adbrite.com.71beeff9";"Found Tracking cookie.Adbrite";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\adbrite.com.d5e309c2";"Found Tracking cookie.Adbrite";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\adtech.de.a9245469";"Found Tracking cookie.Adtech";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\2o7.net.c41fb9b6";"Found Tracking cookie.2o7";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\advertising.com.1dfa2206";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\advertising.com.203aa218";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\advertising.com.525a5fb9";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\advertising.com.82fea56";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\advertising.com.b624fa46";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\adviva.net.c0476bb7";"Found Tracking cookie.Adviva";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\atdmt.com.7247c262";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\burstnet.com.a3218a37";"Found Tracking cookie.Burstnet";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\casalemedia.com.12e6c053";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\fastclick.net.8a6435e9";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\atdmt.com.74c5668";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\atdmt.com.9e6d7fd3";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\casalemedia.com.1773afc";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\casalemedia.com.2d37ad26";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\casalemedia.com.1e1e0e23";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\casalemedia.com.350339d4";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\casalemedia.com.80ad4799";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\casalemedia.com.987e6b46";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\casalemedia.com.fb62dd4b";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\m.webtrends.com.b4ca7df0";"Found Tracking cookie.Webtrends";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\mediaplex.com.dc30fb3c";"Found Tracking cookie.Mediaplex";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\mediaplex.com.f652b123";"Found Tracking cookie.Mediaplex";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\overture.com.52ca467a";"Found Tracking cookie.Overture";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\overture.com.e626e6be";"Found Tracking cookie.Overture";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\pointroll.com.72c0abc9";"Found Tracking cookie.Pointroll";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\pointroll.com.f2d5a6f6";"Found Tracking cookie.Pointroll";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\questionmarket.com.3eb5a9f1";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\questionmarket.com.4dd5e426";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\realmedia.com.6c43ee6b";"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\realmedia.com.855b46d";"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\revsci.net.1d1a4fbf";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\revsci.net.1ecc4d24";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\revsci.net.3983b30a";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\revsci.net.46bdaf68";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\revsci.net.50e13b1b";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\ru4.com.5a5e0633";"Found Tracking cookie.Ru4";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\serving-sys.com.176b0dad";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\serving-sys.com.a222cbcd";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\serving-sys.com.db46cecc";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\statse.webtrendslive.com.b4ca7df0";"Found Tracking cookie.Webtrendslive";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\ru4.com.82a499d7";"Found Tracking cookie.Ru4";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\ru4.com.83b89ffa";"Found Tracking cookie.Ru4";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\weborama.fr.30104bcb";"Found Tracking cookie.Weborama";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\yadro.ru.a4842f54";"Found Tracking cookie.Yadro";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\yadro.ru.c77afad5";"Found Tracking cookie.Yadro";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\zedo.com.27f1639b";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Application Data\Mozilla\Firefox\Profiles\8laj5d1l.default\cookies.sqlite:\zedo.com.c1dd09f2";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Cookies\0VTWU7K6.txt";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Cookies\0VTWU7K6.txt:\atdmt.com.7247c262";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Cookies\0VTWU7K6.txt:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Cookies\tana_lynn@ad.yieldmanager[2].txt";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Cookies\tana_lynn@ad.yieldmanager[2].txt:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Cookies\tana_lynn@ad.yieldmanager[2].txt:\ad.yieldmanager.com.557bf2b0";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Cookies\tana_lynn@ad.yieldmanager[2].txt:\ad.yieldmanager.com.8a47878";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Cookies\tana_lynn@ad.yieldmanager[2].txt:\ad.yieldmanager.com.b68f2b7b";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Cookies\tana_lynn@ad.yieldmanager[2].txt:\ad.yieldmanager.com.e626e6be";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
    "C:\Documents and Settings\Tana Lynn\Cookies\tana_lynn@ad.yieldmanager[2].txt:\ad.yieldmanager.com.ff92306";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
     
  20. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    Only tracking cookies there.
    Not a big deal.

    Anything else?
     
    randy likes this.
  21. randy

    randy TS Rookie Topic Starter Posts: 79

    I guess not broni.....if that trojan shows up do I pm you? I can thank you enough. I am in tough times finacially right now and my paypal is shutdown but I hope I can get you something in the not too distant future, must be hard for you guys like me that dont know squat,,,lol thnx man
     
  22. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    I'll keep this topic open.

    Good luck and stay safe :)
     
  23. randy

    randy TS Rookie Topic Starter Posts: 79

    before I go...is AVG enough or should I get one of the 3 suggested on here? also I will finish off the tasks...secuna etc..
     
  24. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    You can run only one AV program running.
    You're fine.
     
  25. randy

    randy TS Rookie Topic Starter Posts: 79

    secunia keeps saying installation failed..I click ok and it keeps installing? have it and doing a scan now...
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.