# VBS.Gaggle.E - can't double click open hard drive



## Saito (Sep 1, 2002)

All the problems started when I used my colleague's USB key. After using his key, I noticed that every time I double click on a hard drive icon in "My Computer", two windows get open. When I right click on a hard drive I see weird text in place of the bold "Open" in the contextual menu. (see attached picture)

I ran my antivirus software (Norton Internet Security 2007), and it detected a trojan in all my hard drives. See below for the log of the removal.

*Source: C:\WINDOWS\system32\autorun.vbs 
Risk category: Virus 
Overall Risk Impact: High 
Click for more information about this risk : Trojan Horse 
Action taken: Fully removed

Source: c:\autorun.vbs 
Risk category: Virus 
Overall Risk Impact: High 
Click for more information about this risk : Trojan Horse 
Action taken: Fully removed

Source: d:\autorun.vbs 
Risk category: Virus 
Overall Risk Impact: High 
Click for more information about this risk : Trojan Horse 
Action taken: Fully removed *

I googled the "autorun.vbs" and i found Symantic's removal instructions. I followed them but nothing happened. (http://www.symantec.com/security_response/print_writeup.jsp?docid=2004-070814-1115-99)

Now, everytime I double click on a drive in my computer, I get the error:
"Cannot find script file "C:\autorun.vbs". ", effectively stopping me from opening my drives. I can still access my files through windows explorer though.

To me it seems similar to when you insert a CD, and double click it, the default action would be to run autoplay (which is bolded in the contextual menu when you right click on it). Other than that, I'm clueless, and I couldn't find anything helpful from google.

Please help =) I don't want to end up formating my PC

thanks


----------



## valis (Sep 24, 2004)

Please do this:

•Click here to download HJTsetup.exe
•	Save HJTsetup.exe to your desktop.
•	Doubleclick on the HJTsetup.exe icon on your desktop.
•	By default it will install to C:\Program Files\Hijack This.
•	Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
•	Put a check by Create a desktop icon then click Next again.
•	Continue to follow the rest of the prompts from there.
•	At the final dialogue box click Finish and it will launch Hijack This.
•	Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
•	Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
•	Come back here to this thread and Paste the log in your next reply.
•	DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. 
•	Wait for a security expert (identified by the gold badge next to their name) to come by and parse your log. Be patient; there are a lot of people who come here to get fixed up, and only a handful of certified fixer uppers.


----------



## Saito (Sep 1, 2002)

here is the Hijack this log:

*Logfile of HijackThis v1.99.1
Scan saved at 11:54:50 PM, on 11/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ASUS\Mobile Theater\Kernel\TV\CLCapSvc.exe
C:\Program Files\ASUS\Mobile Theater\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\ASUS\Mobile Theater\Kernel\CLML_NTService\CLMLService.exe
c:\WINDOWS\system32\IFXSPMGT.exe
c:\WINDOWS\system32\IFXTCS.exe
C:\WINDOWS\system32\RemoteControlService.exe
c:\Program Files\Infineon\Security Platform Software\PSDsrvc.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\ASUS\Mobile Theater\Kernel\TV\CLSched.exe
c:\Program Files\Infineon\Security Platform Software\PSDrt.exe
c:\Program Files\Infineon\Security Platform Software\SpTna.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\ASUS\Mobile Theater\PCMService.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Azureus\Azureus.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.asus.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.asus.com/
F2 - REG:system.ini: UserInit=userinit.exe,autorun.bat
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [ACMON] C:\Program Files\ASUS\Splendid\ACMON.exe
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ABLKSR] C:\windows\ABLKSR\ABLKSR.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\ASUS\Mobile Theater\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: MetaCafe.lnk = C:\Program Files\Metacafe\MetacafeAgent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O10 - Broken Internet access because of LSP provider 'w2pxdrv.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF1CBF47-4BD4-499E-8C8C-58C6A28B00F0}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: IfxWlxEN - C:\WINDOWS\SYSTEM32\IfxWlxEN.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ASUS\Mobile Theater\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ASUS\Mobile Theater\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ASUS\Mobile Theater\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - c:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - c:\WINDOWS\system32\IFXTCS.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: ITE Remote Control Service (ITECIRService) - ITE Tech. Inc. - C:\WINDOWS\system32\RemoteControlService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - c:\Program Files\Infineon\Security Platform Software\PSDsrvc.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe*


----------



## Saito (Sep 1, 2002)

also, this is the hijack this log file when the error msg box is open. Im posting this because I noticed a service called "wscript.exe" pop up in task manager processes list (only shows up when the error msg is open, goes away when msg box is closed).

*Logfile of HijackThis v1.99.1
Scan saved at 11:57:57 PM, on 11/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ASUS\Mobile Theater\Kernel\TV\CLCapSvc.exe
C:\Program Files\ASUS\Mobile Theater\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\ASUS\Mobile Theater\Kernel\CLML_NTService\CLMLService.exe
c:\WINDOWS\system32\IFXSPMGT.exe
c:\WINDOWS\system32\IFXTCS.exe
C:\WINDOWS\system32\RemoteControlService.exe
c:\Program Files\Infineon\Security Platform Software\PSDsrvc.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\ASUS\Mobile Theater\Kernel\TV\CLSched.exe
c:\Program Files\Infineon\Security Platform Software\PSDrt.exe
c:\Program Files\Infineon\Security Platform Software\SpTna.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\ASUS\Mobile Theater\PCMService.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Azureus\Azureus.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\WScript.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.asus.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.asus.com/
F2 - REG:system.ini: UserInit=userinit.exe,autorun.bat
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [ACMON] C:\Program Files\ASUS\Splendid\ACMON.exe
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ABLKSR] C:\windows\ABLKSR\ABLKSR.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\ASUS\Mobile Theater\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: MetaCafe.lnk = C:\Program Files\Metacafe\MetacafeAgent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O10 - Broken Internet access because of LSP provider 'w2pxdrv.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF1CBF47-4BD4-499E-8C8C-58C6A28B00F0}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: IfxWlxEN - C:\WINDOWS\SYSTEM32\IfxWlxEN.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ASUS\Mobile Theater\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ASUS\Mobile Theater\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ASUS\Mobile Theater\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - c:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - c:\WINDOWS\system32\IFXTCS.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: ITE Remote Control Service (ITECIRService) - ITE Tech. Inc. - C:\WINDOWS\system32\RemoteControlService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - c:\Program Files\Infineon\Security Platform Software\PSDsrvc.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe*


----------



## valis (Sep 24, 2004)

well, whatever you got, you probably got it from p2p. I would reco losing the azureus, as that is just a breeding ground for viruses. Regrardless, there's stuff in your log that raises a few alarms here, so wait for an expert (id'd by the gold badge next to their name) to come parse your log.

v


----------



## Saito (Sep 1, 2002)

Thanks Valis,

I will give it a try and hopefully it works.

Also, I noticed the same garbled text (as in the attached pic) when i started using that usb key, thats why i thought that it was the thing that started all this mess.


----------



## valis (Sep 24, 2004)

as I said, just wait for an expert to parse your log....one should be by shortly. If one hasn't been by by tomorrow, type 'bump' in the reply area to move yours to the top of the pile.


----------



## Saito (Sep 1, 2002)

I found these entries in the registry, and I think they might be related to my issue: (key location, followed by the string)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d38627d6-f166-11da-97a7-806d6172696f}\Shell\open
*´ò¿ª(&O)*

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d38627d6-f166-11da-97a7-806d6172696f}\Shell\open\Command
*WScript.exe .\autorun.vbs*

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d38627d6-f166-11da-97a7-806d6172696f}\Shell\explore
*×ÊÔ´¹ÜÀíÆ÷(&X)*

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d38627d6-f166-11da-97a7-806d6172696f}\Shell\explore\Command
*WScript.exe .\autorun.vbs*

Also, this is what I found when I clicked "modify binary data"
wscript.exe\autorun.vbs

There are a few more all under MountPoints2.

I backed up my registry and deleted all these strings. Then I right click on my C drive and see that all the weird text is gone, and the folder opens normally. But after I restart, the problem comes back again.

I'm not an expert, and if no one helps anytime soon, I think I might do some irreversible damage to my pc    <thats another way of saying BUMP!!!> hehe


----------



## valis (Sep 24, 2004)

as I mentioned before, stop, and wait for an expert to help you with your log.


----------



## Saito (Sep 1, 2002)

bumpidy bump


----------



## Cookiegal (Aug 27, 2003)

Before proceeding, we would like to take a closer look at some of these files.

Go to Start > Search and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Download Suspicious File Packer from http://www.safer-networking.org/en/tools/index.html and unzip it to desktop, open it & 
paste in this list of files and when it has created the archive on your desktop please upload that to http://www.thespykiller.co.uk/forum/index.php?board=1.0 so we can examine the files.

*C:\WINDOWS\system32\autorun.vbs
C:\WINDOWS\system32\autorun.bat
C:\WINDOWS\system32\WScript.exe
d:\autorun.vbs*

Please add a link to your post here so we know where the files came from. Thanks.


----------



## valis (Sep 24, 2004)

thanks cookie.


----------



## Cookiegal (Aug 27, 2003)

You're welcome Tim.


----------



## Saito (Sep 1, 2002)

cookiegal,

http://www.thespykiller.co.uk/forum/index.php?topic=3093.0


----------



## Cookiegal (Aug 27, 2003)

Download *AVG Anti-Spyware* from *HERE* and save that file to your desktop.

When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner.


Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "*Update*" then select the "*Update now*" link.
Next select the "*Start Update*" button. The update will start and a progress bar will show the updates being installed.

Once the update has completed, select the "*Scanner*" icon at the top of the screen, then select the "*Settings*" tab.
Once in the Settings screen click on "*Recommended actions*" and then select "*Quarantine*".
Under "*Reports*"
Select "*Automatically generate report after every scan*"
Un-Select "*Only if threats were found*"

Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.
Reboot your computer into *Safe Mode*. You can do this by restarting your computer and continually tapping the *F8* key until a menu appears. Use your up arrow key to highlight *Safe Mode* then hit enter.

*IMPORTANT:* Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:

Launch AVG Anti-Spyware by double clicking the icon on your desktop.
Select the "*Scanner*" icon at the top and then the "*Scan*" tab then click on "*Complete System Scan*".
AVG will now begin the scanning process. Please be patient as this may take a little time.
*Once the scan is complete, do the following:*
If you have any infections you will be prompted. Then select "*Apply all actions.*"
Next select the "*Reports*" icon at the top.
Select the "*Save report as*" button in the lower lef- hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode.

Please go *HERE* to run Panda's ActiveScan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post the contents of the ActiveScan report

*Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans.*


----------



## Saito (Sep 1, 2002)

cookiegal,

thanks for the help! i didn't know about the "Hide protected operating system files" option, once I opened that up I saw autorun.vbs, autorun.bat, and other files with the same name and extension. I downloaded AVG and it managed to remove all these files.

I also ran the scans on all my external drives and usb sticks etc that might have been infected, and sure enough I found a couple that were.

Now After I restart my system, there's no remains of these virus files, and all the jumbled text in the right click menu are gone.

Thanks again cookiegal , valis ! keep up the good work.

P.S. sorry I didn't post any reports, I was just too happy when I saw the culprit files I skipped that part =)


----------



## valis (Sep 24, 2004)

you may still want to post to hte reports just to verify that everything is gone. A lot of times they (the malware) will respawn after x amount of time. But very happy to hear that all is running well. Cookie is amongst the best on the planet at what she does.


----------



## Cookiegal (Aug 27, 2003)

The only file uploaded to The SpyKiller was the wscript.exe and it's the valid MS file.


Do you still have any of those files either in quarantine or in the recycle bin?


I really need to see a new HijackThis log please.


----------



## Saito (Sep 1, 2002)

Here are the logs (no vbs files were found):

*Panda Online Scan*

Incident Status Location

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt[.statcounter.com/] 
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt[searchportal.information.com/] 
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt[.xiti.com/] 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt[.atwola.com/] 
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt[.toplist.cz/] 
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt[.apmebf.com/] 
Spyware:Cookie/Go  Not disinfected C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt[.go.com/] 
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt[.maxserving.com/] 
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt[.bravenet.com/] 
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt[.realmedia.com/]

*AVG scan (safe mode) *
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at:	11:57:23 PM 11/27/2006

+ Scan result:

:mozilla.82:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.91:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.179:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.180:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.181:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.199:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.200:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.100:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.99:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.171:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.120:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.121:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.127:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.32:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.33:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.35:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.36:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.160:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.125:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.126:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.128:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.129:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.130:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.13:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.93:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.94:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.95:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.96:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.97:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.23:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned.
:mozilla.24:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned.
:mozilla.25:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned.
:mozilla.75:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.27:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.28:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.29:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.30:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.31:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.81:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.83:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.85:C:\Documents and Settings\Mohammed\Application Data\Mozilla\Firefox\Profiles\y4vv3mnk.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.

::Report end

*Final Hijack this*
Logfile of HijackThis v1.99.1
Scan saved at 1:43:00 AM, on 11/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ASUS\Mobile Theater\Kernel\TV\CLCapSvc.exe
C:\Program Files\ASUS\Mobile Theater\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\ASUS\Mobile Theater\Kernel\CLML_NTService\CLMLService.exe
C:\WINDOWS\system32\RemoteControlService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\ASUS\Mobile Theater\Kernel\TV\CLSched.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\ASUS\Mobile Theater\PCMService.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.asus.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.asus.com/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [ACMON] C:\Program Files\ASUS\Splendid\ACMON.exe
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ABLKSR] C:\windows\ABLKSR\ABLKSR.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\ASUS\Mobile Theater\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF1CBF47-4BD4-499E-8C8C-58C6A28B00F0}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: IfxWlxEN - IfxWlxEN.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ASUS\Mobile Theater\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ASUS\Mobile Theater\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ASUS\Mobile Theater\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Unknown owner - c:\WINDOWS\system32\IFXSPMGT.exe (file missing)
O23 - Service: Trusted Platform Core Service (IFXTCS) - Unknown owner - c:\WINDOWS\system32\IFXTCS.exe (file missing)
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: ITE Remote Control Service (ITECIRService) - ITE Tech. Inc. - C:\WINDOWS\system32\RemoteControlService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Unknown owner - c:\Program Files\Infineon\Security Platform Software\PSDsrvc.EXE (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Hopefully The virus was fully removed... By the way, thanks for your time guys, really appreciate it.


----------



## Cookiegal (Aug 27, 2003)

Just a little tidying up left to do.

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

*O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k*

How are things running now?


----------



## Saito (Sep 1, 2002)

done...

thanks a lot for your help. Everything is running smoothly now =)


----------



## Cookiegal (Aug 27, 2003)

You're welcome. :up:

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

*Delete your temporary files:*

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type *%temp%* in the Run box. The Temp folder will open. Click *Edit - Select All* then hit *Delete* to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

*Empty the recycle bin*.


----------



## Cookiegal (Aug 27, 2003)

Before you go I'd like to check something else please.


Please export this registry key. Right click on MountPoints2 and select "export" and save it to your desktop. Then open it with Notepad and copy and paste the contents here please.


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\


----------



## Drew345 (Dec 1, 2006)

Saito,
I am having a similar problem, except it is my memory stick I cannot open, not my harddrive.
I saw before you said that you scanned all external drives and memory sticks with AVG. Is that right? When I run AVG, I cannot find any option for scanning and cleaning external drives. Did you find a way to scan your memory sticks with AVG?
Thanks,
Drew


----------



## Drew345 (Dec 1, 2006)

OOps, nevermind,
I just had to open the my computer a few times and it finally saw my J: Drive. 
I got the scan running now.
Thanks, Drew


----------



## Saito (Sep 1, 2002)

did you manage to remove the trojan?


----------



## Drew345 (Dec 1, 2006)

I got everything cleaned up with AVG and Cookiegal's wonderful help. But I still can't open the memory stick except for the first time I put it in. I always get that darn "Can't find autorun.vbs' error. My case is here:
http://forums.techguy.org/security/523202-error-can-not-find-script.html


----------



## khasa123 (Dec 5, 2006)

hello cookie i had posted a forum a week ago and i did nt get any reply........... please help me as i can not get my thing working i did what you wrote to saito but some how still it doesnt work in the middle of the panda scan it says i dont have an outlook account which i dont have even and sudddenly it dissspears it took me 6 hours to do this but still doesnt work ,it still tells me the same message cant find autorun.vbs

here is my report

Incident Status Location

Spyware:Cookie/Statcounter Not disinfected  C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt[.statcounter.com/] 
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt[.xiti.com/]

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at:	9:56:30 PM 12/5/2006

+ Scan result:

HKU\S-1-5-21-1454471165-789336058-725345543-500\Software\IST -> Adware.ISTBar : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\switch.exe -> Downloader.IstBar : Cleaned with backup (quarantined).
:mozilla.122:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.123:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.104:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.105:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.63:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.106:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Bfast : Cleaned.
:mozilla.107:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Bfast : Cleaned.
:mozilla.141:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.35:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.64:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.Com : Cleaned.
:mozilla.128:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.130:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.131:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.28:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.29:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.30:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.31:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.32:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.81:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.83:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.116:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.117:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.118:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.66:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.67:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.68:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.69:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.161:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.162:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.163:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.164:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.165:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.166:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.167:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.74:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.75:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.76:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.77:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.78:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.18:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.19:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.101:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.144:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.119:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.120:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkmxyk0s.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.

::Report end

please help me


----------



## Cookiegal (Aug 27, 2003)

khasa123,

Please reply in your own thread which you will find at the following link:

http://forums.techguy.org/security/524249-my-hard-drive-clicking-still.html


----------

