Just got some bad stuff O.o

Krypto44

i downloaded something i shouldn't have and as soon as i clicked on it realized i was screwed... hes my log file...

Logfile of HijackThis v1.99.1
Scan saved at 9:05:17 PM, on 4/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\windows\system32\mssearchnet.exe
C:\windows\system32\nvctrl.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\windows\system32\ctfmon.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\WINDOWS\system32\?ystem\fast.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\WordWeb\wweb32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\DOCUME~1\Stefan\LOCALS~1\Temp\Temporary Directory 2 for hijackthis_199.zip\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\windows\system32\hp83D8.tmp
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe" -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Hzsw] C:\WINDOWS\system32\?ystem\fast.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &WordWeb... - res://C:\windows\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119648359046
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: winexy32 - C:\windows\SYSTEM32\winexy32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

skywalker45

You are currently running Hijack This from here:

C:\DOCUME~1\Stefan\LOCALS~1\Temp\Temporary Directory 2 for hijackthis_199.zip\HijackThis.exe

This is a temporary directory. Please move Hijack This to it's own folder or drag HijackThis.exe to your desktop. Post another log after you've done this.

Krypto44

Also, i did some things with Ad aware SE... antivirus, and various other things, however im positive i still have it.

Logfile of HijackThis v1.99.1
Scan saved at 10:01:00 PM, on 4/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\windows\system32\mssearchnet.exe
C:\windows\system32\nvctrl.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\windows\system32\ctfmon.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\WINDOWS\system32\?ystem\fast.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\WordWeb\wweb32.exe
C:\windows\system32\wuauclt.exe
C:\DOCUME~1\Stefan\LOCALS~1\Temp\Temporary Directory 1 for hijackthis_199.zip\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Stefan\Desktop\HijackThis.exe

O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\windows\system32\hpDE59.tmp
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe" -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Hzsw] C:\WINDOWS\system32\?ystem\fast.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &WordWeb... - res://C:\windows\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119648359046
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: winexy32 - C:\windows\SYSTEM32\winexy32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

skywalker45

Yes you still have it. Please download Ewido Anti-Malware from my signature below. Follow the instructions below:

• Install Ewido Anti-Malware
• When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu."
• Launch ewido, there should be a big "E" icon on your desktop, double-click it.
• The program will prompt you to update click the "OK" button
• The program will now go to the main screen
  
  After installing you will need to update ewido to the latest definition files.
  
  
• On the left hand side of the main screen click update
• Click on Start
  
  The update will start and a progress bar will show the updates being installed. After the updates are installed, exit ewido.
  
  Once the updates are installed do the following:
  
  
  
• If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.
  
• Reboot into Safe Mode, you can do this by restarting your computer, then contiunally tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Then, run ewido.
  
• Close all open windows/programs/folders. Have nothing else open while ewido performs its scan!
  
• Click on scanner
• Click on Settings
  • Under "How to scan" all boxes should be selected
  • Under "Possibly unwanted software" all boxes should be selected
  • Under "What to scan" select scan every file
  • Click OK
• Click on Complete system scan
• Let the program scan the machine
  
• If ewido finds anything, it will pop up a notification. Please check the box that says Perform Action with all Infections.
  
• Click Save report
• Save the report to your desktop
• Exit ewido

Post back with the Ewido log and a fresh Hijack This log.

Krypto44

When turning on my comp and pressing F8... it brinds up a menu "choose which drive to boot from" or something along those lines, with my floppy disk, two dvd drives, and one other one.

Is there another way i can get into safe mode?

Krypto44

here is the ewido thing...

---

ewido anti-malware - Scan report

---

+ Created on: 11:48:14 PM, 4/19/2006
+ Report-Checksum: 55AAB2ED

+ Scan result:

HKLM\SOFTWARE\WinHound.com -> Spyware.WinHound : Error during cleaning
HKLM\SOFTWARE\WinHound.com\WinHound -> Spyware.WinHound : Error during cleaning
HKLM\SOFTWARE\WinHound.com\WinHound\WinHound -> Spyware.WinHound : Error during cleaning
HKLM\SOFTWARE\WinHound.com\WinHound\WinHound\License -> Spyware.WinHound : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.141:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.142:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.143:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.144:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.145:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.146:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.147:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.148:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.149:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.150:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.161:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.162:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.163:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.164:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.165:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.166:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.171:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.193:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Spylog : Cleaned with backup
:mozilla.202:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.207:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned with backup
:mozilla.214:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Trafic : Cleaned with backup
:mozilla.216:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.217:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.218:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.219:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.220:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.221:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.242:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned with backup
:mozilla.243:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.244:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.245:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.246:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.247:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.248:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.252:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.253:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.254:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.255:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.256:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.257:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.262:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.263:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.266:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.267:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.268:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.273:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.274:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.275:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.276:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.277:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.278:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.279:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.280:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.291:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
:mozilla.299:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.300:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.328:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.349:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.351:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.352:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.359:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.360:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.361:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.363:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.364:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.368:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.375:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.376:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.377:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.378:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.379:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.380:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.381:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.382:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.383:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.384:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.385:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.386:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.387:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.388:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.389:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.390:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.391:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.392:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.393:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.394:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.395:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.396:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.397:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.398:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.399:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.400:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.401:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.402:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.403:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Paycounter : Cleaned with backup
:mozilla.413:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned with backup
:mozilla.414:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned with backup
:mozilla.415:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned with backup
:mozilla.418:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned with backup
:mozilla.419:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.420:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.442:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Linkbuddies : Cleaned with backup
:mozilla.445:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.446:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.447:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.448:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.449:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.450:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.451:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.452:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.453:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.454:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.471:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Bfast : Cleaned with backup
:mozilla.472:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.473:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.477:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup
:mozilla.495:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.497:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Tracking101 : Cleaned with backup
:mozilla.500:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.501:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.513:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.520:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.530:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.535:C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\fpstso6g.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Stefan\Cookies\stefan@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Stefan\Cookies\stefan@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Stefan\Cookies\stefan@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Stefan\Cookies\stefan@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Stefan\Cookies\stefan@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Stefan\Local Settings\Temp\win9E.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\Documents and Settings\Stefan\Local Settings\Temporary Internet Files\Content.IE5\ZA4BNP8H\!update-3595[1].0000 -> Downloader.PurityScan.bw : Cleaned with backup
C:\Program Files\DAEMON Tools\SetupDTSB.exe -> Adware.SaveNow : Cleaned with backup
C:\RECYCLER\S-1-5-21-776561741-1336601894-725345543-1004\Dc10.exe -> Adware.MediaTickets : Cleaned with backup
C:\WINDOWS\system32\dfrgsrv.exe -> Trojan.Small : Cleaned with backup
C:\WINDOWS\system32\interf.tlb -> Trojan.Small : Cleaned with backup
C:\WINDOWS\system32\mssearchnet.exe -> Hijacker.SpyAxe : Cleaned with backup
C:\WINDOWS\system32\nvctrl.exe -> Hijacker.SpyAxe : Cleaned with backup


::Report End

Krypto44

here is another hijack one..
Logfile of HijackThis v1.99.1
Scan saved at 12:03:12 AM, on 4/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Stefan\Desktop\HijackThis.exe

O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\windows\system32\hpE4E1.tmp
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe" -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Hzsw] C:\WINDOWS\system32\?ystem\fast.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &WordWeb... - res://C:\windows\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119648359046
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: winexy32 - C:\windows\SYSTEM32\winexy32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

skywalker45

You would need to choose the drive that Windows is installed on to boot from. Was this Ewido Scan done in safe mode? If you can't get into safe mode using F8 you can go to Start--->Run then type msconfig. On the general tab choose diagnostic startup then click apply. When you reboot you should boot into safe mode automatically. Then run the Ewido scan again if the first run wasn't in safe mode.

You will need to go into msconfig again from safe mode after this is done and choose normal startup so that you can get back here and post a new Ewido log and a fresh Hijack This log.

Krypto44

I got in by pressing F5, and yes, the ewido scan was done in safe mode.

I think its gone... havent seen any signs of it yet. However, i still think there is something bad.

Krypto44

heres a fresh hijack log (not in safe)
Logfile of HijackThis v1.99.1
Scan saved at 12:30:31 PM, on 4/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\windows\system32\ctfmon.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\WINDOWS\system32\?ystem\fast.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Stefan\Desktop\HijackThis.exe

O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\windows\system32\hpE4E1.tmp
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe" -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Hzsw] C:\WINDOWS\system32\?ystem\fast.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &WordWeb... - res://C:\windows\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119648359046
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: winexy32 - C:\windows\SYSTEM32\winexy32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

skywalker45

Please go here and run the Purity Scan Uninstaller. When you are finished please post a fresh Hijack This log. Also, before we do the next part of the fix, could you let me know if you use the Party Poker program?

Krypto44

Yes, i do play party poker... however a Titan poker came on my desktop a yestarday, so there might be something about that.... here is my new log


Logfile of HijackThis v1.99.1
Scan saved at 8:25:48 PM, on 4/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\windows\system32\wuauclt.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\windows\system32\ctfmon.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Documents and Settings\Stefan\Desktop\HijackThis.exe

O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\windows\system32\hpE4E1.tmp
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe" -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &WordWeb... - res://C:\windows\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119648359046
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: winexy32 - C:\windows\SYSTEM32\winexy32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

skywalker45

You might want to print these insructions as you will not have access to the internet for part of this fix.

Run Hijack This again and put a check (tick) next to the following:

O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\windows\system32\hpE4E1.tmp

O20 - Winlogon Notify: winexy32 - C:\windows\SYSTEM32\winexy32.dll

Close all other browsers/windows and click Fix Checked. Close Hijack This.

Reboot into safe mode again. We need to make sure you can see all hidden files, explained below:

• Click "Start".
• Click "My Computer".
• Select the "Tools" menu and click "Folder Options".
• Select the "View" tab.
• Under the "Hidden files and folders" heading, select "Show hidden files and folders".
• Uncheck the "Hide protected operating system files (recommended)" option.
• Click "Yes" to confirm.
• Uncheck the "Hide file extensions for known file types".
• Click "OK".

Next use Windows Explorer to delete the following:

C:\windows\system32\hpE4E1.tmp<----This file.
C:\windows\SYSTEM32\winexy32.dll<----This file.

Reboot into normal mode and post a fresh Hijack This log.

Krypto44

i deleted
O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\windows\system32\hpE4E1.tmp
and i tried to delete
O20 - Winlogon Notify: winexy32 - C:\windows\SYSTEM32\winexy32.dll
however, everytime i turn on my comp again it comes back

Krypto44

i went into safe mode and tried removing C:\windows\system32\hpE4E1.tmp, but my computer couldn't find it.

when i tried to delete C:\windows\SYSTEM32\winexy32.dll its said i couldnt because it was "either write protected or in use by another program" ***i tried to delete it right after i removed O20 - Winlogon Notify: winexy32 - C:\windows\SYSTEM32\winexy32.dll from hijack this



my new log is this (i will check off O20...\winexy32.dll)
Logfile of HijackThis v1.99.1
Scan saved at 9:20:01 AM, on 4/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\windows\system32\ctfmon.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Stefan\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe" -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &WordWeb... - res://C:\windows\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119648359046
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

skywalker45

I'm sorry if I didn't understand you the first time. Were you able, finally, to delete C:\windows\SYSTEM32\winexy32.dll? If not please reboot and post another log. If it's not going away with a reboot we'll need to use a different program to try to kill it.

Krypto44

No, i was not able to remove winexy32.dll....

new HJT log

Logfile of HijackThis v1.99.1
Scan saved at 1:44:27 PM, on 4/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\windows\system32\ctfmon.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Stefan\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe" -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &WordWeb... - res://C:\windows\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119648359046
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: winexy32 - C:\windows\SYSTEM32\winexy32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

skywalker45

OK that's what I thought you meant. Please download Pocket Killbox from here. Unzip the program to your desktop.

Open Killbox. Click the radio button that says delete on reboot. Now copy and paste the line below into the Killbox file field:

C:\windows\SYSTEM32\winexy32.dll

Next press the Red button with the white "X" in it. Killbox will tell you that one file will be removed on reboot. Click OK. Your PC will now reboot. Once it's rebooted run Hijack This again and put a check next to the following if it still exists:

O20 - Winlogon Notify: winexy32 - C:\windows\SYSTEM32\winexy32.dll

Close all other browsers/windows and click Fix Checked.

Reboot once more and post a fresh Hijack This log.

Krypto44

i did that and when i logged on my comp for the first time it said O20 - Winlogon Notify: winexy32 - winexy32.dll (file missing)

I removed it and will post a new hijack log

Krypto44

the winexy thing was removed...

Logfile of HijackThis v1.99.1
Scan saved at 5:53:30 PM, on 4/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\windows\system32\wuauclt.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Documents and Settings\Stefan\Desktop\HijackThis.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\windows\system32\ctfmon.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\System32\imapi.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe" -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &WordWeb... - res://C:\windows\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119648359046
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

skywalker45

Log looks clean. How are the symptoms?

Krypto44

havent gotten any random pop ups, start up doesnt take 5 minutes. i think we've fixed it =).

Thanks for your help!

skywalker45

You're welcome. Please see below for some tips for staying clean.


Congratulations. Your log is clean! You should reward yourself very liberally! Now some pointers on how to stay clean and keep your sanity. You may be thinking now "how did I get infected?" Please read this great article: So how did I get infected in the first place.

Next follow the instructions below to keep yourself free from infection.

Disable and then enable system restore to purge infected restore points.

Turn OFF System Restore.

1. On the Desktop, right-click My Computer.
2. Click Properties.
3. Click the System Restore tab.
4. Check Turn off System Restore.
5. Click Apply.
6. Click OK.

To enable system restore:

1. Uncheck the box by Turn off system restore
2. Click Apply.
3. System restore is now on.
4. Create a restore point by clicking Start--->All programs--->Accessories--->System tools--->System restore
5. Select the bubble that says Create restore point. Then click Next.
6. Give the restore point a meaningful name like post malware removal. Then click OK.

Rehide hidden files and folders. During your fix if you were asked to "show hidden files and folders" you should go back now and re-hide them. You wouldn't want to accidentally delete important files. Follow the instructions below:

• Click "Start".
• Click "My Computer".
• Select the "Tools" menu and click "Folder Options".
• Select the "View" tab.
• Under the "Hidden files and folders" heading, select "Do not show hidden files and folders".
• Check the "Hide protected operating system files (recommended)" option.
• Check the "Hide file extensions for known file types".
• Click Apply then click "OK".

Update the OS regularly

Set up system to ensure a regular update of the Operating System.

Manually:

Visit Windows Update on a weekly/fortnightly REGULAR basis.

Automatically:

1. On the Desktop, right-click My Computer.
2. Click Properties.
3. Click on Automatic Updates.
4. Check the option of choice (I use Automatic (Recommended)). If you use dial-up I would recommend using the
   Notify Me option so that you can download when you can afford the time and bandwidth overheads.
5. Select the Day/Time of choice
6. Click Apply
7. Click OK

Secure your web browser

1. Open Internet Explorer and click on the Tools menu and then click on
   Security
2. Click the Internet icon
3. Click onCustom Level.
4. Change the Download signed ActiveX controls to Prompt
5. Change the Download unsigned ActiveX controls to Disable
6. Change the Initialize and script ActiveX controls not marked as safe to Disable
7. Change the Installation of desktop items to Prompt
8. Change the Launching programs and files in an IFRAME to Prompt
9. Change the Navigate sub-frames across different domains to Prompt
10. Change the Allow paste operations via script to Disable
11. Click on OK
12. Save (if asked).
13. Click on Applybutton
14. Click on OK

Alternatively you could use another browser such as
Mozilla Firefox (My personal favorite!)
Opera

Get Some Protection
The following programs are useful in the fight against Malware. Best of all, they're FREE.
Download and install any or all . Be warned though ---- You must update regularly. Check once a week!

• Ad-Aware SE - This is a
  program that scans for and removes known spyware from your machine.
• Spybot Search &
  Destroy -Similar to Ad-Aware but more configurable and incorporates Teatime, a memory resident utility that protects the system
  registry. I recommend
• Spyware Blaster -
  It Prevents the addition of ActiveX Controls on your machines by
  isolating the system registry.
  

A good antiviral program is essential. I see you have one. Make sure to keep it updated.

And Finally.........Lock the door with a Firewall . XP comes with its own simple firewall but I prefer to substitute it with
ZoneAlarm.

I wish you very happy, and most importantly, safe surfing on the information superhighway. Just remember it can be dangerous.