View Full Version : S&D cannot be deleted. S&D and IE exe cannot be launched
psbsubs4
2010-12-30, 03:22
Hello,
My Net Nanny software started acting funny by not letting any browser window I opened to be able to connect to the internet. I tried to run my Avast AV software but it would hang on a scan. I tied to run S&D but it would not launch. I worked with Net Nanny to uninstall and reinstall and I was able to connect to the internet. (BTW, I do not think Net Nanny is doing what it should be doing though because it is not asking me to log into it to get to an internet page.) Perhaps I should just unstall NN for now...?
Anyway, once I was able to get back to the internet, I downloaded a new version of Avast AV but it still hangs up on a scan. I have uninstalled it.
Now my recollection gets fuzzy. I think I tried to uninstall S&D (& Tea Timer). I think S&D was in Add/Remove programs but TT was not. I downloaded a new S&D file and tried to install. It had a lot of warnings about write protection and I selected the option to remove the write protection each time. That worked for most files but not for the S&D nor TT .exe files.
I found the post that talked about manual deletion from the "all users" folder and the programs folder and tried that and was able to delete all except the S&D & TT .exe files.
I then tried another install. I did not get the warning about the write protect for the other files (since there were deleted) but I still got it for the S&D & TT files. I told it to ignore so that it would fininsh the install.
I launched S&D after the install but frankly, I cannot recall for sure just what it did. I think it hung and I cannot recall how I closed out from it (whether it let me cancel or I had to do something more forceful).
Now when I try to launch S&D, It tells me
QUOTE
Windows cannot access the specified device, path, or file. You may not have appropriate permissions to access the item.
END QUOTE
Note: I am running XP (SP3) and I am logged in as the admin so I know it is not a true auth/permissions problem.
Note: As I said before, I was able to launch IE and get to the web but now when I launch IE (IE7) it is giving me the same error message as when I launch S&D.
I had found the posts that talks about sending in attach.txt and DDS.txt. I will include the dds text down below and attach the "attach" file.
I also found a post talking about running Root Analyzer. I ran the quick scan and it came up ok. I ran the deep scan and it flagged some stuff. I scanned what it flagged and nothing jumped out at me but I have not yet compared the entries like it advises.
I followed the steps in this post
http://forums.spybot.info/showthread.php?t=50194
which is why I am now making my own post.
I also read
http://forums.spybot.info/showthread.php?t=288
and have created the ERUNT registry dump.
Here below are the DDS.txt contents.
Note: I am probably being too cautious but I changed some text since this is a public forum. Namely:
maskedname is a corporate website that I saw no need to post.
myxpid~ is masking my xp admin account ID
[my admin id] is also macking my xp admin ID
Thanks for your help.
DDS (Ver_10-12-12.02) - NTFSx86
Run by [my admin id] at 18:46:11.03 on 12/28/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.544 [GMT -6:00]
============== Running Processes ===============
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ClearPlay\ClearPlay Easy Updates\ClearPlayEasyUpdates.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\FastStone Capture\FSCapture.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Documents and Settings\[my admin id]\My Documents\RCA Detective\RCADetective.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\imapi.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\[my admin id]\Local Settings\Temporary Internet Files\Content.IE5\KX5LHTQ3\dds[1].scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Gamevance: {0ed403e8-470a-4a8a-85a4-d7688cfe39a3} - c:\program files\gamevance\gamevancelib32.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: CPrintEnhancer Object: {ae84a6aa-a333-4b92-b276-c11e2212e4fe} - c:\program files\hp\smart web printing\SmartWebPrinting.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {BEAC7DC8-E106-4C6A-931E-5A42E7362883} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [cwcptray] c:\program files\contentwatch\internet protection\cwtray.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
StartupFolder: c:\docume~1\myxpid~1\startm~1\programs\startup\clearp~1.lnk - c:\program files\clearplay\clearplay easy updates\ClearPlayEasyUpdates.exe
StartupFolder: c:\docume~1\myxpid~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF2.exe
StartupFolder: c:\docume~1\myxpid~1\startm~1\programs\startup\fastst~1.lnk - c:\program files\faststone capture\FSCapture.exe
StartupFolder: c:\docume~1\myxpid~1\startm~1\programs\startup\forget~1.lnk - c:\program files\mindscape\agspirit\PMREMIND.EXE
StartupFolder: c:\docume~1\myxpid~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\myxpid~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\myxpid~1\startm~1\programs\startup\rcadet~1.lnk - c:\documents and settings\[my admin id]\my documents\rca detective\RCADetective.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventr~1.lnk - c:\program files\broderbund\printmaster\PMremind.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{6dc47739-3bb0-4494-a43d-193bf54070ae}\Icon3E5562ED7.ico
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: ameren.com
Trusted Zone: maskedname.com
Trusted Zone: clearplay.com
Trusted Zone: hp.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: VPNJava - hxxps://remote.maskedname.com/CACHE/stc/1/binaries/VPNJava.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxp://h20364.www2.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CAB
DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://myportfolio.maskedname.com/vdesk/terminal/f5tunsrv.cab#version=6030,2009,626,1841
DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - c:\docume~1\myxpid~1\locals~1\temp\ixp000.tmp\InstallerControl.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://remote.maskedname.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202682592866
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC}
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} - hxxps://myportfolio.maskedname.com/vdesk/terminal/vdeskctrl.cab#version=6030,2009,0622,1849
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D}
DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - hxxps://myportfolio.maskedname.com/vdesk/terminal/urxshost.cab#version=6030,2009,622,1847
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://myportfolio.maskedname.com/vdesk/terminal/urxhost.cab#version=6030,2009,622,1843
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-5-25 88176]
S1 ceaf;ceaf; [x]
S2 CwAltaService20;ContentWatch;c:\program files\contentwatch\internet protection\cwsvc.exe [2010-12-28 2109440]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-20 136176]
S3 pohci13F;pohci13F;\??\c:\docume~1\myxpid~1\locals~1\temp\pohci13f.sys --> c:\docume~1\myxpid~1\locals~1\temp\pohci13F.sys [?]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2008-2-13 11520]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2003-8-28 189792]
=============== Created Last 30 ================
2010-12-28 23:43:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-12-28 22:31:40 -------- d-----w- c:\program files\ContentWatch
2010-12-28 22:31:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\ContentWatch
2010-12-28 00:31:06 75264 ----a-w- c:\windows\system32\dcaf.sys
2010-12-28 00:28:43 75264 ----a-w- c:\windows\system32\ceaf.sys
2010-12-25 20:17:57 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-12-25 20:17:57 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-12-25 20:16:42 -------- d-----w- c:\program files\iPod
2010-12-25 20:16:22 -------- d-----w- c:\program files\iTunes
2010-12-25 20:16:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-12-25 20:15:34 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2010-12-25 20:15:34 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2010-12-25 20:15:34 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2010-12-25 20:15:34 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2010-12-25 20:14:06 -------- d-----w- c:\docume~1\myxpid~1\locals~1\applic~1\Apple
2010-12-25 20:13:07 -------- d-----w- c:\program files\Bonjour
2010-12-25 20:10:09 -------- d-----w- c:\docume~1\myxpid~1\locals~1\applic~1\Apple Computer
2010-11-29 23:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
==================== Find3M ====================
2010-12-15 20:37:04 81920 ----a-w- c:\windows\system32\wxcode_msw28u_wxjson_CW.dll
2010-12-15 20:36:56 1073152 ----a-w- c:\windows\system32\wxcode_msw28u_wxcurl_CW.dll
2010-12-15 20:34:40 975872 ----a-w- c:\windows\system32\libxml2_CW.dll
2010-12-15 20:30:44 151552 ----a-w- c:\windows\system32\libexpat.dll
2010-12-15 04:09:50 720384 ----a-w- c:\windows\system32\cwalsp.dll
2010-12-15 04:09:50 1884160 ----a-w- c:\windows\system32\AltaRecovery.exe
2010-11-28 01:52:51 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-10-07 18:23:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 18:23:02 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-10-07 18:23:02 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 18:23:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
============= FINISH: 18:47:20.00 ===============
:snwelcome:
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Sorry you had to wait, we get very busy most times.
If you read this you can see we just fix home computers, we do not work on corporate ones.
http://forums.spybot.info/showthread.php?t=27710
The intention of this forum is not to replace a company's IT department, nor can we anticipate alterations or configurations that may have been made to a business machine, or how it will interact with the tools commonly used in the removal of malware.
The majority of the tools used in this forum are only free for Home Users and only tested on Home machines, they may well change settings that are required for a Company network. Another consideration is that company information may show in the logs.
More than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable.
To prevent any possible loss or corruption of company information, please inform your IT department or Supervisor when a workplace computer has been infected, immediately.
It's not that we don't want to help, but there are too many issues that could arise from a networked company machine that malware forum volunteers are not experienced in dealing with.
Thank you for your understanding.
psbsubs4
2011-01-04, 00:58
Hi,
Sorry if I confused you on my original post. This IS a home computer that is having the problem.
From time to time, when something blows up at work, I VPN into my work computer to fix the problem but this virus issue is on my home computer, not my work computer.
Since I do not know what all is included in the DSS and Attrach files, I thought it best to mask my work name so that someone could not take info form the Attach or DDS files and cause some mischief.
Please take a look into this virus problem that I am having.
Thanks
I need to see the entire log , nothing masked so I can determine whats going on with your system
OTLby OldTimer
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
psbsubs4
2011-01-04, 13:10
Hi,
I followed your instructions for downloading and running OLT. When I clicked the Run Scan button, the screen just closed. I assumed it was just running "behind the scenes" and waited 5 minutes. When nothing happened, I looked for c:\otl and it did not exist. I looked in task manager and did not see an otl entry. I tried launching the application again but nothing happened. I rebooted and tried launching and now I get the same error message for otl that I get for SpyBotSD. That is,
Windows cannot access the specified device, path, or file. You may not have appropriate permissions to access the item.
I therefore regenerated the DDS and Attach files (with no masking this time) hoping that they can be of help. The DDS text follows and the Attached file is Attached.
Thanks & Regards
DDS (Ver_10-12-12.02) - NTFSx86
Run by Paul Brown at 6:03:03.81 on 01/03/2011
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.505 [GMT -6:00]
============== Running Processes ===============
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ClearPlay\ClearPlay Easy Updates\ClearPlayEasyUpdates.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\FastStone Capture\FSCapture.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Documents and Settings\Paul Brown\My Documents\RCA Detective\RCADetective.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Z-SOFT~1\WINZIP\wzqkpick.exe
C:\Documents and Settings\Paul Brown\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Gamevance: {0ed403e8-470a-4a8a-85a4-d7688cfe39a3} - c:\program files\gamevance\gamevancelib32.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: CPrintEnhancer Object: {ae84a6aa-a333-4b92-b276-c11e2212e4fe} - c:\program files\hp\smart web printing\SmartWebPrinting.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {BEAC7DC8-E106-4C6A-931E-5A42E7362883} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [cwcptray] c:\program files\contentwatch\internet protection\cwtray.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
StartupFolder: c:\docume~1\paulbr~1\startm~1\programs\startup\clearp~1.lnk - c:\program files\clearplay\clearplay easy updates\ClearPlayEasyUpdates.exe
StartupFolder: c:\docume~1\paulbr~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF2.exe
StartupFolder: c:\docume~1\paulbr~1\startm~1\programs\startup\fastst~1.lnk - c:\program files\faststone capture\FSCapture.exe
StartupFolder: c:\docume~1\paulbr~1\startm~1\programs\startup\forget~1.lnk - c:\program files\mindscape\agspirit\PMREMIND.EXE
StartupFolder: c:\docume~1\paulbr~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\paulbr~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\paulbr~1\startm~1\programs\startup\rcadet~1.lnk - c:\documents and settings\paul brown\my documents\rca detective\RCADetective.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventr~1.lnk - c:\program files\broderbund\printmaster\PMremind.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{6dc47739-3bb0-4494-a43d-193bf54070ae}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\z-software-for-installs\winzip\WZQKPICK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: ameren.com
Trusted Zone: brownshoe.com
Trusted Zone: clearplay.com
Trusted Zone: hp.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: VPNJava - hxxps://remote.brownshoe.com/CACHE/stc/1/binaries/VPNJava.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxp://h20364.www2.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CAB
DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://myportfolio.brownshoe.com/vdesk/terminal/f5tunsrv.cab#version=6030,2009,626,1841
DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - c:\docume~1\paulbr~1\locals~1\temp\ixp000.tmp\InstallerControl.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://remote.brownshoe.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202682592866
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC}
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} - hxxps://myportfolio.brownshoe.com/vdesk/terminal/vdeskctrl.cab#version=6030,2009,0622,1849
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D}
DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - hxxps://myportfolio.brownshoe.com/vdesk/terminal/urxshost.cab#version=6030,2009,622,1847
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://myportfolio.brownshoe.com/vdesk/terminal/urxhost.cab#version=6030,2009,622,1843
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-5-25 88176]
S1 ceaf;ceaf; [x]
S2 CwAltaService20;ContentWatch;c:\program files\contentwatch\internet protection\cwsvc.exe [2010-12-28 2109440]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-20 136176]
S3 pohci13F;pohci13F;\??\c:\docume~1\paulbr~1\locals~1\temp\pohci13f.sys --> c:\docume~1\paulbr~1\locals~1\temp\pohci13F.sys [?]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2008-2-13 11520]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2003-8-28 189792]
=============== Created Last 30 ================
2010-12-28 23:43:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-12-28 22:31:40 -------- d-----w- c:\program files\ContentWatch
2010-12-28 22:31:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\ContentWatch
2010-12-28 00:31:06 75264 ----a-w- c:\windows\system32\dcaf.sys
2010-12-28 00:28:43 75264 ----a-w- c:\windows\system32\ceaf.sys
2010-12-25 20:17:57 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-12-25 20:17:57 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-12-25 20:16:42 -------- d-----w- c:\program files\iPod
2010-12-25 20:16:22 -------- d-----w- c:\program files\iTunes
2010-12-25 20:16:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-12-25 20:15:34 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2010-12-25 20:15:34 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2010-12-25 20:15:34 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2010-12-25 20:15:34 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2010-12-25 20:14:06 -------- d-----w- c:\docume~1\paulbr~1\locals~1\applic~1\Apple
2010-12-25 20:13:07 -------- d-----w- c:\program files\Bonjour
2010-12-25 20:10:09 -------- d-----w- c:\docume~1\paulbr~1\locals~1\applic~1\Apple Computer
==================== Find3M ====================
2010-12-15 20:37:04 81920 ----a-w- c:\windows\system32\wxcode_msw28u_wxjson_CW.dll
2010-12-15 20:36:56 1073152 ----a-w- c:\windows\system32\wxcode_msw28u_wxcurl_CW.dll
2010-12-15 20:34:40 975872 ----a-w- c:\windows\system32\libxml2_CW.dll
2010-12-15 20:30:44 151552 ----a-w- c:\windows\system32\libexpat.dll
2010-12-15 04:09:50 720384 ----a-w- c:\windows\system32\cwalsp.dll
2010-12-15 04:09:50 1884160 ----a-w- c:\windows\system32\AltaRecovery.exe
2010-11-29 23:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-28 01:52:51 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-10-07 18:23:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 18:23:02 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-10-07 18:23:02 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 18:23:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
============= FINISH: 6:04:11.96 ===============
First go to Add Remove Programs in the control panel and uninstall Spybot and thenSee if you can run this program
Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please
psbsubs4
2011-01-05, 00:59
The Virus whacked this scanner program also. That is, I uninstalled SB S&D per your instructions, then downloaded, installed and ran the new scanner that you pointed me to. It started to run and then the screen closed. I tried to launch the program again and got this
Windows cannot access the specified device, path, or file. You may not have appropriate permissions to access the item.
Run this quick program , do not reboot when its done and then give Malwarebytes another run
Please download exeHelper (http://www.raktor.net/exeHelper/exeHelper.com) to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
psbsubs4
2011-01-05, 04:04
Hi,
I tried exehelper. Here is the log
exeHelper by Raktor
Build 20100414
Run at 20:59:11 on 01/03/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
I did not reboot.
I tried to run the Malwarebytes program but got
Windows cannot access the specified device, path, or file. You may not have appropriate permissions to access the item.
I relaunched the install (mbam-setup-1.50.1.1100.exe) to do an over-the-top install, executed the program but got the same results. That is, It started to run and then the screen closed.
Lets try this one instead
Please download SuperAntiSpyware Free (http://www.superantispyware.com/superantispyware.html)
Install the program
Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next <-- Important
Then, click Finish
It is possible that the program asks to reboot in order to delete some files.
Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)
Please provide the SuperAntiSpyware log in your next reply
psbsubs4
2011-01-05, 15:36
Hi,
I did the install and started the scanner. The good news is that it did not shut down right away. The bad news is that it did shut down after a while like the others. I will try to recall what I saw before the screen shut down...
The scan started running. I left the room for a bit and when I came back it had found one problem. I think "trojan" was in the name and it had a count of 2 next to it. I do not know if that showed up as part of the memory scan or the registry scan. I noticed that it was then scanning the registry. I left and came back later and saw that another problem had been found. I think it had "advgamer" in the name. I saw that it was still scanning the registry. I left the room and when I came back, the window had closed. I tried launching it in hopes of getting to the logs but got the error message that I have been getting. That is,
Windows cannot access the specified device, path, or file. You may not have appropriate permissions to access the item.
I tried an re-install over-the-top hoping to get to any log that might have been created. It notified me that it would have to uninstall the old version and I told it to proceed. Very shortly after that, the screen went blank. I waited several minutes and but nothing happened so I powered off the machine. I waited a bit and powered up again and was able to log on and then I powered back down.
More on the blank screen. My desktop already had no picture (The picture dissapeared a day or two ago) but it did have desktop icons. So, when I say that the screen went blank, it was that all of the desktop icons dissapeared.
See if it will run in Safemode
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
psbsubs4
2011-01-06, 01:18
Hi, I booted in safe mode. It looks like the prior uninstall (because I was going to try to reinstall after the screen closed (see last post)), even though the screen went blank, was at least partially successful because when I tried to run the program under Start -> Progams -> ... the folder was empty.
While still in safe mode, I installed the software, downloaded the update and started the scan. I made notes of the scan to collect as much as I could before it closed the screen.
In the window on the left, it listed
Trojan.Dropper/SVCHOST-Fake and had a 2 in the column to the right of the listing. Under that was
Adware.Gamevance with a 6.
On the panel on the right it showed
Mem - 1 problem
Registry - 5 problems
File - 2 problems
Total - 8 problems
I rebooted (regular mode this time) and looked in
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs
and found
SUPERANTISPYWARE-1-4-2011( 17-55-49 ).SDB
so I am attaching that in case it may help.
Your log won't open Open the log and copy and paste it into this thread
psbsubs4
2011-01-06, 03:59
PART 1 OF A TWO PART POST
(This part is done from an old Win98 machine that I can get to the forum on to type in what I am doing as I do it. The 2nd part of the post will be from the problem machine so that I can get to the log files.)
Could not get app to open in regular mode. Rebooted to safe mode + networking. Did an uninstall and a reinstall. Went to the panel to open log and nothing was there.
Remembered that it could do part of the scan without dying so told app to only scan memory which it did and created a log. I could open that in the tool. Found where that was. Made a discovery.
The path that I previously posted was for application logs
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs
so not sure that that log file would have in it anyway. The log file that was created from the memory scan went to another location. That location was
C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs
Anyway, since I had done the memory scan, it wanted me to reboot to finish things out. I wanted to try and gather more info so I said not to reboot.
Remembering that the registry scan completed part way before the app died, I thought I could perhaps do a partial scan and then pause it to collect what I could there. After it started I decided it might be better to just let it do its reboot so I aborted the registry scan and rebooted. I unstalled (selecting to retain log files) and reinstalled. I told it to do the memory scan and it found the memory problem again. So, either it came back or what I did caused the delete to not really go all the way through.
Anyway, select custom scan, I checked memory and register and paused it once it got to the afore mentioned 8 problems but before the app died. After pausing it, I clicked next and followed the steps that fixed the problem and wanted a reboot. I did the reboot.
Second part of this post to follow in a few minutes.
psbsubs4
2011-01-06, 04:26
PART TWO OF A TWO PART POST. PLEASE SEE PART ONE JUST ABOVE
Rebooted in safe mode. App would not launch. (Not getting the error like I was getting before of file not found... just that the app never launches...)
I uninstalled (retaining log files) and reinstalled. Here is the log file from the scan that was paused:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 01/04/2011 at 08:59 PM
Application Version : 4.47.1000
Core Rules Database Version : 6137
Trace Rules Database Version: 3949
Scan type : Custom Scan
Total Scan Time : 00:00:51
Memory items scanned : 269
Memory threats detected : 1
Registry items scanned : 588
Registry threats detected : 5
File items scanned : 0
File threats detected : 2
Trojan.Dropper/SVCHost-Fake
\.\GLOBALROOT\DEVICE\SVCHOST.EXE\SVCHOST.EXE
\.\GLOBALROOT\DEVICE\SVCHOST.EXE\SVCHOST.EXE
Adware.Gamevance
HKLM\Software\Classes\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}
HKCR\CLSID\{0ED403E8-470A-4A8A-85A4-D7688CFE39A3}
HKCR\CLSID\{0ED403E8-470A-4A8A-85A4-D7688CFE39A3}
HKCR\CLSID\{0ED403E8-470A-4A8A-85A4-D7688CFE39A3}\InprocServer32
HKCR\CLSID\{0ED403E8-470A-4A8A-85A4-D7688CFE39A3}\InprocServer32#ThreadingModel
C:\PROGRAM FILES\GAMEVANCE\GAMEVANCELIB32.DLL
While I had the app open, I told it to do the mem and reg scan again and it found the memory / trojan and 4 of the 6 registry problems before the app closed so the prior scan either did not remove it or it is reinstalling/reinitializing itself with the reboot.
Without anymore rebooting, I did an uninstall and a reinstall thinking that I could have it look at
Startup
Cookies
Selected Folders (told it to do c:\)
The scan is running. I want to complete this second post. Once get some information on the scan that is running now (finished or app dies) I will post that.
psbsubs4
2011-01-06, 05:14
PART THREE OF POST. PLEASE SEE PRIOR TWO PARTS
ALSO THIS POST IS TOO LONG SO I WILL HAVE TO CHOP IT INTO TWO PARTS
The scan of
Startup
Cookies
Selected Folders (told it to do c:\)
completed. 34 minutes and 19.5K files checked. It found
Adware.Tracking Cookie - 816
Trojan.Agent/Gen-Kryptic - 19
Trojan.Agent/Gen-Frauder - 2
After repairing, when I said to reboot to did. I was wondering if rebooting to safe mode might be what stopped the prior repairs from happening so this time I rebooted into normal mode.
After rebooting, the app did would not run so I uninstalled and reinstalled so that I could get to the log file. The log file did not show in the app. Note: A the time of the scan, I was in safe mode using the native admin id but at the time I was in the app, I was under my admin id so perhaps the two do not line up somehow? Anyway, I just went through window explorer and got the log file that way.
Here is the contents of the log
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 01/04/2011 at 09:53 PM
Application Version : 4.47.1000
Core Rules Database Version : 6137
Trace Rules Database Version: 3949
Scan type : Custom Scan
Total Scan Time : 00:34:06
Memory items scanned : 0
Memory threats detected : 0
Registry items scanned : 59
Registry threats detected : 0
File items scanned : 19574
File threats detected : 837
Adware.Tracking Cookie
cdn4.specificclick.net [ C:\Documents and Settings\Abigail\Application Data\Macromedia\Flash Player\#SharedObjects\DWJSUP2L ]
objects.tremormedia.com [ C:\Documents and Settings\Abigail\Application Data\Macromedia\Flash Player\#SharedObjects\DWJSUP2L ]
udn.specificclick.net [ C:\Documents and Settings\Abigail\Application Data\Macromedia\Flash Player\#SharedObjects\DWJSUP2L ]
C:\Documents and Settings\Abigail\Cookies\abigail@mediaplex[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@tribalfusion[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@atdmt[2].txt
C:\Documents and Settings\Abigail\Cookies\abigail@banners.battleon[2].txt
C:\Documents and Settings\Abigail\Cookies\abigail@realmedia[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@insightexpressai[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@serving-sys[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@ads.webkinz[2].txt
C:\Documents and Settings\Abigail\Cookies\abigail@server.cpmstar[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@lego.112.2o7[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@media6degrees[2].txt
C:\Documents and Settings\Abigail\Cookies\abigail@2o7[2].txt
C:\Documents and Settings\Abigail\Cookies\abigail@ru4[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@ads.addynamix[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@uol.realmedia[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@collective-media[2].txt
C:\Documents and Settings\Abigail\Cookies\abigail@cdn1.trafficmp[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@doubleclick[2].txt
C:\Documents and Settings\Abigail\Cookies\abigail@statse.webtrendslive[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@cgm.adbureau[2].txt
C:\Documents and Settings\Abigail\Cookies\abigail@bs.serving-sys[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@content.yieldmanager[2].txt
C:\Documents and Settings\Abigail\Cookies\abigail@content.yieldmanager[3].txt
C:\Documents and Settings\Abigail\Cookies\abigail@interclick[2].txt
C:\Documents and Settings\Abigail\Cookies\abigail@pointroll[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@ads.pointroll[2].txt
C:\Documents and Settings\Abigail\Cookies\abigail@adlegend[2].txt
C:\Documents and Settings\Abigail\Cookies\abigail@adbrite[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@adxpose[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@megabrands.122.2o7[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@revsci[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@questionmarket[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@ads.intergi[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@ad.yieldmanager[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@user.lucidmedia[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@specificclick[2].txt
C:\Documents and Settings\Abigail\Cookies\abigail@specificmedia[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@invitemedia[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@eas.apm.emediate[2].txt
C:\Documents and Settings\Abigail\Cookies\abigail@apmebf[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@oasn03.247realmedia[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@247realmedia[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@trafficmp[2].txt
C:\Documents and Settings\Abigail\Cookies\abigail@adserver.adtechus[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@network.realmedia[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@ads.pubmatic[2].txt
C:\Documents and Settings\Abigail\Cookies\abigail@dc.tremormedia[2].txt
C:\Documents and Settings\Abigail\Cookies\abigail@banners2.battleon[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@adecn[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@cdn4.specificclick[1].txt
C:\Documents and Settings\Abigail\Cookies\abigail@msnportal.112.2o7[1].txt
139.memecounter.com [ C:\Documents and Settings\Benjamin\Application Data\Macromedia\Flash Player\#SharedObjects\GYHHW2RH ]
cdn4.specificclick.net [ C:\Documents and Settings\Benjamin\Application Data\Macromedia\Flash Player\#SharedObjects\GYHHW2RH ]
memecounter.com [ C:\Documents and Settings\Benjamin\Application Data\Macromedia\Flash Player\#SharedObjects\GYHHW2RH ]
udn.specificclick.net [ C:\Documents and Settings\Benjamin\Application Data\Macromedia\Flash Player\#SharedObjects\GYHHW2RH ]
C:\Documents and Settings\Benjamin\Cookies\benjamin@cgm.adbureau[1].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@a1.interclick[2].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@content.yieldmanager[2].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@cdn4.specificclick[1].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@cdn1.trafficmp[2].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@ads.webkinz[2].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@questionmarket[2].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@insightexpressai[2].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@adserver.adtechus[1].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@specificclick[2].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@ads.bridgetrack[1].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@pointroll[2].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@ads.intergi[1].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@ad.yieldmanager[1].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@ads.addynamix[1].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@oasn04.247realmedia[1].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@cms.trafficmp[2].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@tribalfusion[2].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@lucidmedia[1].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@www.burstbeacon[1].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@statse.webtrendslive[1].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@dc.tremormedia[2].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@serving-sys[2].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@ads.pointroll[1].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@interclick[2].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@overture[1].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@doubleclick[1].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@specificmedia[2].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@eyewonder[2].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@247realmedia[1].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@collective-media[2].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@mediaplex[1].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@media6degrees[2].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@lego.112.2o7[1].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@network.realmedia[2].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@adbrite[1].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@ru4[1].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@realmedia[1].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@megabrands.122.2o7[1].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@bs.serving-sys[1].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@invitemedia[1].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@trafficmp[2].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@intermundomedia[2].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@apmebf[1].txt
C:\Documents and Settings\Benjamin\Cookies\benjamin@msnportal.112.2o7[1].txt
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@trafficmp[2].txt
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@apmebf[1].txt
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@ads.webkinz[1].txt
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@edge.ru4[1].txt
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@realmedia[2].txt
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@mediaplex[2].txt
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@doubleclick[2].txt
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@ad.yieldmanager[2].txt
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@advertising[2].txt
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@network.realmedia[1].txt
C:\Documents and Settings\Elizabeth\Cookies\elizabeth@lego.112.2o7[1].txt
ads2.msads.net [ C:\Documents and Settings\Paul Brown\Application Data\Macromedia\Flash Player\#SharedObjects\Y7F3NFSF ]
ia.media-imdb.com [ C:\Documents and Settings\Paul Brown\Application Data\Macromedia\Flash Player\#SharedObjects\Y7F3NFSF ]
.www.googleadservices.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.247realmedia.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.247realmedia.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.account.juno.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.account.netzero.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.ad.yieldmanager.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.ad.yieldmanager.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.ad.yieldmanager.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.ad.yieldmanager.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.ad.yieldmanager.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.adbrite.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.adbrite.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.adbrite.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.adopt.euroclick.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.adopt.euroclick.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.adopt.euroclick.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.adopt.euroclick.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.adopt.euroclick.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.adopt.euroclick.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.adopt.specificclick.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.adopt.specificclick.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.adopt.specificclick.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.adopt.specificclick.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.adopt.specificclick.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.adrevolver.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.media.adrevolver.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.media.adrevolver.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.ads.addynamix.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.adserver.adtechus.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.adserver.toptenreviews.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.ads.revsci.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.apmebf.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.apmebf.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.at.atwola.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.at.atwola.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.atwola.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.bluestreak.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.bs.serving-sys.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.burstnet.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.casalemedia.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.casalemedia.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.casalemedia.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.casalemedia.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.casalemedia.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.casalemedia.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.casalemedia.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.casalemedia.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.casalemedia.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.imrworldwide.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.imrworldwide.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.clickbank.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.doubleclick.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.ehg-chartercommunications.hitbox.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.ehg-legonewyorkinc.hitbox.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.ehg-legonewyorkinc.hitbox.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.fastclick.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.fastclick.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.fastclick.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.fastclick.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.fastclick.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.fastclick.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.hitbox.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.hitbox.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.interclick.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.interclick.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.interclick.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.interclick.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.interclick.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.interclick.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.interclick.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.interclick.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.interclick.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.legobrandretail.112.2o7.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.media.adrevolver.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.media.adrevolver.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.mediaplex.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.mediaplex.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.mediaplex.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.msnportal.112.2o7.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.overture.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.overture.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.philips.112.2o7.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.questionmarket.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.questionmarket.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.realmedia.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.realmedia.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.realmedia.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.realmedia.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.realmedia.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.realmedia.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.realmedia.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.realmedia.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.revenue.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.s.clickability.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.s.clickability.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.specificmedia.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.statse.webtrendslive.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.tacoda.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.tacoda.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.tacoda.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.tacoda.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.tacoda.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.tacoda.net [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.tradedoubler.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.tradedoubler.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.trafficmp.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.trafficmp.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.trafficmp.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.trafficmp.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.trafficmp.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.tribalfusion.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.www.halstats.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.zedo.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.zedo.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.zedo.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.zedo.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
.zedo.com [ C:\Documents and Settings\Paul Brown\Application Data\Mozilla\Firefox\Profiles\x1n2x1mv.default\cookies.sqlite ]
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@media6degrees[1].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@revsci[2].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@adserver.adreactor[1].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@serving-sys[2].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@realmedia[2].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@liveperson[1].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@walmart.112.2o7[1].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@liveperson[3].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@bs.serving-sys[2].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@stlouisdiscountmattress[2].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@www.windowsmedia[2].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@at.atwola[1].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@ads.undertone[2].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@pro-market[1].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@247realmedia[1].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@tacoda.at.atwola[2].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@lfstmedia[2].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@ad.yieldmanager[2].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@trafficmp[1].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@a1.interclick[1].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@adecn[2].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@user.lucidmedia[1].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@ad.yieldmanager[3].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@adserver.adtechus[1].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@cdn1.trafficmp[1].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@surveymonkey.122.2o7[1].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@questionmarket[1].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@adbrite[1].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@winzip.122.2o7[1].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@specificclick[2].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@adxpose[1].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@pointroll[1].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@mediabrandsww[2].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@content.yieldmanager[2].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@invitemedia[1].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@content.yieldmanager[3].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@lucidmedia[1].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@adinterax[2].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@findajobalready[1].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@www.googleadservices[1].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@2o7[1].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@ads.webkinz[2].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@uol.realmedia[1].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@ads.pointroll[1].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@oasn04.247realmedia[2].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@collective-media[2].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@network.realmedia[2].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@interclick[2].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@ads.pubmatic[2].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@www.qsstats[1].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@www.qsstats[2].txt
psbsubs4
2011-01-06, 05:15
LAST AND FINAL PART OF A FOUR PART POST. PLEASE SEE THE PRIOR THREE PARTS.
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@ru4[1].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@specificmedia[1].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@media.adfrontiers[2].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@tribalfusion[2].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@ad.wsod[2].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@liveperson[2].txt
C:\Documents and Settings\Paul Brown\Cookies\paul_brown@sales.liveperson[2].txt
.apmebf.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.mediaplex.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.imrworldwide.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.imrworldwide.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adbrite.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.realmedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adxpose.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.pointroll.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.247realmedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.insightexpressai.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.paypal.112.2o7.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.stats.paypal.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.liveperson.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.interclick.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.interclick.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.a1.interclick.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.leeenterprises.112.2o7.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.yieldmanager.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
user.lucidmedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adbrite.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.traveladvertising.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.traveladvertising.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.tacoda.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.msnbc.112.2o7.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.at.atwola.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.at.atwola.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.tacoda.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.tacoda.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.tacoda.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.uol.realmedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
in.getclicky.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.fastclick.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.fastclick.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.fastclick.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.yadro.ru [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.yadro.ru [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.realmedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.realmedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.addynamix.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.pointroll.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.traveladvertising.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.addynamix.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.addynamix.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.addynamix.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.legolas-media.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.addynamix.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.legolas-media.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.addynamix.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
www.qsstats.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
www.qsstats.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.dealtime.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.dealtime.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.dealtime.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
stat.dealtime.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.dealtime.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.2o7.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.2o7.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.walmart.112.2o7.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
statse.webtrendslive.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
sales.liveperson.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.liveperson.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.realmedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.specificmedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.content.yieldmanager.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.a1.interclick.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.questionmarket.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.questionmarket.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.trafficmp.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.trafficmp.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.trafficmp.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.trafficmp.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.w3counter.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.doubleclick.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.oreck.112.2o7.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.www.burstnet.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adbrite.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.content.yieldmanager.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adecn.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.a1.interclick.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.a1.interclick.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.a1.interclick.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.a1.interclick.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.a1.interclick.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.a1.interclick.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.interclick.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.casalemedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.realmedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.realmedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.network.realmedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.collective-media.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.legolas-media.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.legolas-media.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.tribalfusion.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.realmedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.realmedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adbrite.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adbrite.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.specificclick.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.specificclick.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.specificclick.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.specificclick.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.interclick.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.realmedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.mediaplex.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.pointroll.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.trafficmp.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.trafficmp.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.trafficmp.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.trafficmp.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.trafficmp.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.casalemedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.legolas-media.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adserver.adtechus.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.casalemedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.casalemedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.casalemedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.casalemedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.casalemedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.casalemedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
uol.realmedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
network.realmedia.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
banners.battleon.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
banners.battleon.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
banners.battleon.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.server.cpmstar.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.server.cpmstar.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.server.cpmstar.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.server.cpmstar.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adlegend.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.adlegend.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.bs.serving-sys.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.revsci.net [ C:\Documents and Settings\Paul Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
C:\Documents and Settings\Rachel\Cookies\rachel@adecn[1].txt
C:\Documents and Settings\Rachel\Cookies\rachel@2o7[2].txt
C:\Documents and Settings\Rachel\Cookies\rachel@ru4[2].txt
C:\Documents and Settings\Rachel\Cookies\rachel@invitemedia[1].txt
C:\Documents and Settings\Rachel\Cookies\rachel@specificmedia[2].txt
C:\Documents and Settings\Rachel\Cookies\rachel@ads.webkinz[1].txt
C:\Documents and Settings\Rachel\Cookies\rachel@banners2.battleon[2].txt
C:\Documents and Settings\Rachel\Cookies\rachel@media6degrees[1].txt
C:\Documents and Settings\Rachel\Cookies\rachel@network.realmedia[1].txt
C:\Documents and Settings\Rachel\Cookies\rachel@realmedia[2].txt
C:\Documents and Settings\Rachel\Cookies\rachel@content.yieldmanager[1].txt
C:\Documents and Settings\Rachel\Cookies\rachel@cgm.adbureau[1].txt
C:\Documents and Settings\Rachel\Cookies\rachel@www.googleadservices[2].txt
C:\Documents and Settings\Rachel\Cookies\rachel@www.windowsmedia[2].txt
C:\Documents and Settings\Rachel\Cookies\rachel@at.atwola[2].txt
C:\Documents and Settings\Rachel\Cookies\rachel@insightexpressai[1].txt
C:\Documents and Settings\Rachel\Cookies\rachel@bs.serving-sys[1].txt
C:\Documents and Settings\Rachel\Cookies\rachel@ads.intergi[1].txt
C:\Documents and Settings\Rachel\Cookies\rachel@trafficmp[1].txt
C:\Documents and Settings\Rachel\Cookies\rachel@legolas-media[2].txt
C:\Documents and Settings\Rachel\Cookies\rachel@adlegend[2].txt
C:\Documents and Settings\Rachel\Cookies\rachel@triseptsolutions.122.2o7[1].txt
C:\Documents and Settings\Rachel\Cookies\rachel@tribalfusion[2].txt
C:\Documents and Settings\Rachel\Cookies\rachel@serving-sys[1].txt
C:\Documents and Settings\Rachel\Cookies\rachel@ad.yieldmanager[2].txt
C:\Documents and Settings\Rachel\Cookies\rachel@www.burstbeacon[2].txt
C:\Documents and Settings\Rachel\Cookies\rachel@a1.interclick[2].txt
C:\Documents and Settings\Rachel\Cookies\rachel@pointroll[1].txt
C:\Documents and Settings\Rachel\Cookies\rachel@cdn4.specificclick[2].txt
C:\Documents and Settings\Rachel\Cookies\rachel@tacoda[2].txt
C:\Documents and Settings\Rachel\Cookies\rachel@cdn1.trafficmp[1].txt
C:\Documents and Settings\Rachel\Cookies\rachel@questionmarket[1].txt
C:\Documents and Settings\Rachel\Cookies\rachel@specificclick[1].txt
C:\Documents and Settings\Rachel\Cookies\rachel@server.cpmstar[2].txt
C:\Documents and Settings\Rachel\Cookies\rachel@lucidmedia[1].txt
C:\Documents and Settings\Rachel\Cookies\rachel@247realmedia[1].txt
C:\Documents and Settings\Rachel\Cookies\rachel@adbrite[2].txt
C:\Documents and Settings\Rachel\Cookies\rachel@ads.pointroll[2].txt
C:\Documents and Settings\Rachel\Cookies\rachel@adserver.adtechus[1].txt
C:\Documents and Settings\Rachel\Cookies\rachel@banners.battleon[2].txt
C:\Documents and Settings\Rachel\Cookies\rachel@interclick[2].txt
C:\Documents and Settings\Rachel\Cookies\rachel@lfstmedia[2].txt
cdn4.specificclick.net [ C:\Documents and Settings\Star Wars 1's\Application Data\Macromedia\Flash Player\#SharedObjects\2RWQEJE6 ]
objects.tremormedia.com [ C:\Documents and Settings\Star Wars 1's\Application Data\Macromedia\Flash Player\#SharedObjects\2RWQEJE6 ]
udn.specificclick.net [ C:\Documents and Settings\Star Wars 1's\Application Data\Macromedia\Flash Player\#SharedObjects\2RWQEJE6 ]
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@pointroll[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@revsci[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@ad.wsod[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@adbrite[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@adxpose[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@adecn[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@ads.pointroll[2].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@oasn03.247realmedia[2].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@www.burstbeacon[2].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@eyewonder[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@invitemedia[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@intermundomedia[2].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@adlegend[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@ru4[2].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@dc.tremormedia[2].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@pro-market[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@cdn4.specificclick[2].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@tacoda.at.atwola[2].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@neoedge.adbureau[2].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@specificclick[2].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@serving-sys[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@specificmedia[2].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star wars 1's@ehg-legonewyorkinc.hitbox[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@247realmedia[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@server.cpmstar[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@content.yieldmanager[3].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@adserver.adtechus[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@ads.webkinz[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@trafficmp[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@hitbox[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@network.realmedia[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@ads.pubmatic[2].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@banners2.battleon[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star wars 1's@mediaplex[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@bs.serving-sys[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star wars 1's@megabrands.122.2o7[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star wars 1's@apmebf[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star wars 1's@msnportal.112.2o7[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@a1.interclick[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@ad.yieldmanager[2].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@ads.addynamix[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@ads.bridgetrack[2].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@ads.intergi[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@aws.112.2o7[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@banners.battleon[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@cgm.adbureau[2].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@collective-media[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@content.yieldmanager[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@insightexpressai[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@interclick[2].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@lego.112.2o7[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@lucidmedia[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@media6degrees[2].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@mediabrandsww[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@questionmarket[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@realmedia[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@tribalfusion[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@uol.realmedia[2].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@www.googleadservices[1].txt
C:\Documents and Settings\Star Wars 1's\Cookies\star_wars_1's@www.googleadservices[2].txt
139.memecounter.com [ C:\Documents and Settings\Stephen\Application Data\Macromedia\Flash Player\#SharedObjects\Z5H5KVB8 ]
cdn4.specificclick.net [ C:\Documents and Settings\Stephen\Application Data\Macromedia\Flash Player\#SharedObjects\Z5H5KVB8 ]
memecounter.com [ C:\Documents and Settings\Stephen\Application Data\Macromedia\Flash Player\#SharedObjects\Z5H5KVB8 ]
udn.specificclick.net [ C:\Documents and Settings\Stephen\Application Data\Macromedia\Flash Player\#SharedObjects\Z5H5KVB8 ]
C:\Documents and Settings\Stephen\Cookies\stephen@tribalfusion[1].txt
C:\Documents and Settings\Stephen\Cookies\stephen@lego.112.2o7[1].txt
C:\Documents and Settings\Stephen\Cookies\stephen@server.cpmstar[1].txt
C:\Documents and Settings\Stephen\Cookies\stephen@trafficmp[2].txt
C:\Documents and Settings\Stephen\Cookies\stephen@serving-sys[1].txt
C:\Documents and Settings\Stephen\Cookies\stephen@apmebf[1].txt
C:\Documents and Settings\Stephen\Cookies\stephen@ads.webkinz[2].txt
C:\Documents and Settings\Stephen\Cookies\stephen@adserver.adtechus[1].txt
C:\Documents and Settings\Stephen\Cookies\stephen@bs.serving-sys[1].txt
C:\Documents and Settings\Stephen\Cookies\stephen@a1.interclick[1].txt
C:\Documents and Settings\Stephen\Cookies\stephen@legobrandretail.112.2o7[1].txt
C:\Documents and Settings\Stephen\Cookies\stephen@overture[1].txt
C:\Documents and Settings\Stephen\Cookies\stephen@realmedia[1].txt
C:\Documents and Settings\Stephen\Cookies\stephen@network.realmedia[2].txt
C:\Documents and Settings\Stephen\Cookies\stephen@ads.pointroll[1].txt
C:\Documents and Settings\Stephen\Cookies\stephen@megabrands.122.2o7[1].txt
C:\Documents and Settings\Stephen\Cookies\stephen@interclick[2].txt
C:\Documents and Settings\Stephen\Cookies\stephen@banners.battleon[1].txt
C:\Documents and Settings\Stephen\Cookies\stephen@mediaplex[1].txt
C:\Documents and Settings\Stephen\Cookies\stephen@2o7[1].txt
C:\Documents and Settings\Stephen\Cookies\stephen@insightexpressai[2].txt
C:\Documents and Settings\Stephen\Cookies\stephen@account.lego[1].txt
C:\Documents and Settings\Stephen\Cookies\stephen@questionmarket[2].txt
C:\Documents and Settings\Stephen\Cookies\stephen@ad.yieldmanager[2].txt
C:\Documents and Settings\Stephen\Cookies\stephen@pointroll[2].txt
C:\Documents and Settings\Stephen\Cookies\stephen@cdn4.specificclick[2].txt
C:\Documents and Settings\Stephen\Cookies\stephen@specificclick[2].txt
C:\Documents and Settings\Stephen\Cookies\stephen@ehg-legonewyorkinc.hitbox[2].txt
C:\Documents and Settings\Stephen\Cookies\stephen@ads.intergi[1].txt
C:\Documents and Settings\Stephen\Cookies\stephen@adlegend[2].txt
C:\Documents and Settings\Stephen\Cookies\stephen@eyewonder[2].txt
C:\Documents and Settings\Stephen\Cookies\stephen@247realmedia[1].txt
C:\Documents and Settings\Stephen\Cookies\stephen@hitbox[1].txt
C:\Documents and Settings\Stephen\Cookies\stephen@intermundomedia[2].txt
C:\Documents and Settings\Stephen\Cookies\stephen@msnportal.112.2o7[1].txt
C:\Documents and Settings\Stephen\Cookies\stephen@specificmedia[1].txt
cdn4.specificclick.net [ C:\Documents and Settings\True Foundations\Application Data\Macromedia\Flash Player\#SharedObjects\VJ5AFMJW ]
ia.media-imdb.com [ C:\Documents and Settings\True Foundations\Application Data\Macromedia\Flash Player\#SharedObjects\VJ5AFMJW ]
udn.specificclick.net [ C:\Documents and Settings\True Foundations\Application Data\Macromedia\Flash Player\#SharedObjects\VJ5AFMJW ]
C:\Documents and Settings\True Foundations\Cookies\true_foundations@insightexpressai[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@pointroll[2].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@ads.pubmatic[2].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@hitbox[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@revsci[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@questionmarket[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@www.windowsmedia[2].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@specificclick[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@network.realmedia[2].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@lucidmedia[2].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@trvlnet.adbureau[2].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@zedo[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@overture[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@kontera[2].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@hearstugo.112.2o7[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@tribalfusion[2].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@ads.addynamix[2].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@ad.yieldmanager[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@user.lucidmedia[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@ads.pointroll[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@interclick[2].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@content.yieldmanager[2].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@www.burstnet[2].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@serving-sys[2].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@content.yieldmanager[3].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@www.googleadservices[2].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@adecn[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@atdmt[2].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@uol.realmedia[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@oasn04.247realmedia[2].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@burstnet[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@collective-media[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@apmebf[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@cdn4.specificclick[2].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@advertising[2].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@ehg-chartercommunications.hitbox[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@mediaplex[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@247realmedia[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@adxpose[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@specificmedia[2].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@yieldmanager[2].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@statse.webtrendslive[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@www7.addfreestats[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@doubleclick[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@lego.112.2o7[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@bs.serving-sys[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@2o7[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@realmedia[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@media6degrees[2].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@data.coremetrics[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@statcounter[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@pro-market[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@ehg-legonewyorkinc.hitbox[2].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@ru4[2].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@msnportal.112.2o7[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@invitemedia[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@legolas-media[2].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@ads.undertone[2].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@account.juno[1].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@ads.webkinz[2].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@a1.interclick[2].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@ad.wsod[2].txt
C:\Documents and Settings\True Foundations\Cookies\true_foundations@traveladvertising[1].txt
C:\Documents and Settings\Z Games\Cookies\z_games@a1.interclick[2].txt
C:\Documents and Settings\Z Games\Cookies\z_games@server.cpmstar[1].txt
C:\Documents and Settings\Z Games\Cookies\z_games@cgm.adbureau[2].txt
C:\Documents and Settings\Z Games\Cookies\z_games@ads.intergi[1].txt
C:\Documents and Settings\Z Games\Cookies\z_games@ads.pointroll[2].txt
C:\Documents and Settings\Z Games\Cookies\z_games@bs.serving-sys[1].txt
C:\Documents and Settings\Z Games\Cookies\z_games@advertising[2].txt
C:\Documents and Settings\Z Games\Cookies\z_games@pointroll[1].txt
C:\Documents and Settings\Z Games\Cookies\z_games@adlegend[2].txt
C:\Documents and Settings\Z Games\Cookies\z_games@247realmedia[1].txt
C:\Documents and Settings\Z Games\Cookies\z_games@serving-sys[2].txt
C:\Documents and Settings\Z Games\Cookies\z_games@awana.findlocation[2].txt
C:\Documents and Settings\Z Games\Cookies\z_games@doubleclick[2].txt
C:\Documents and Settings\Z Games\Cookies\z_games@network.realmedia[1].txt
C:\Documents and Settings\Z Games\Cookies\z_games@interclick[2].txt
C:\Documents and Settings\Z Games\Cookies\z_games@media6degrees[1].txt
C:\Documents and Settings\Z Games\Cookies\z_games@banners.battleon[2].txt
C:\Documents and Settings\Z Games\Cookies\z_games@realmedia[2].txt
C:\Documents and Settings\Z Games\Cookies\z_games@atdmt[2].txt
Trojan.Agent/Gen-Kryptic
C:\WINDOWS\TEMP\FFFADA7E.TMP
C:\WINDOWS\TEMP\FFFA850B.TMP
C:\WINDOWS\TEMP\FFFA8634.TMP
C:\WINDOWS\TEMP\FFFABA25.TMP
C:\WINDOWS\TEMP\FFFABFA3.TMP
C:\WINDOWS\TEMP\FFFAC5FC.TMP
C:\WINDOWS\TEMP\FFFAC977.TMP
C:\WINDOWS\TEMP\FFFACAA0.TMP
C:\WINDOWS\TEMP\FFFACC74.TMP
C:\WINDOWS\TEMP\FFFACF24.TMP
C:\WINDOWS\TEMP\FFFACF62.TMP
C:\WINDOWS\TEMP\FFFACFA1.TMP
C:\WINDOWS\TEMP\FFFAD416.TMP
C:\WINDOWS\TEMP\FFFAD425.TMP
C:\WINDOWS\TEMP\FFFAD6C5.TMP
C:\WINDOWS\TEMP\FFFAD752.TMP
C:\WINDOWS\TEMP\FFFAD771.TMP
C:\WINDOWS\TEMP\FFFAD7AF.TMP
C:\WINDOWS\TEMP\FFFADD9B.TMP
Trojan.Agent/Gen-Frauder
C:\WINDOWS\TEMP\FFFACF72.TMP
C:\WINDOWS\TEMP\FFFAD195.TMP
While I had the app up, I went ahead and told it to do a scan of memory and register items in case the above repair might allow the mem/reg scan to be able to complete this time.
No such luck, it found the same two mem and 6 reg items that it has been previously finding and then the app closed.
Okay, I am done posting now. :-)
About 95% of what SAS found where cookies but it also removed some bad stuff.
Scan With RootKitUnHooker
Please choose one link and download Rootkit Unhooker and save it to your desktop.
Link 1 (http://www.kernelmode.info/ARKs/RKUnhookerLE.EXE)
Link 2 (http://www.kernelmode.info/ARKs/RKUnhookerLE.zip)
Link 3 (http://www.kernelmode.info/ARKs/RkU3.8.388.590.rar)
Now double-click on RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan.
Check (Tick) Drivers and Stealth
Uncheck the rest. then click OK
When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
Wait till the scanner has finished and then click File > Save Report.
Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in your next reply.
Note** you may get the following warning, just click OK and continue.
"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"
psbsubs4
2011-01-06, 14:16
Thanks. Here is the report from the rootkit unhook tool
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xF4996000 C:\WINDOWS\system32\DRIVERS\lvuvc.sys 6750208 bytes (Logitech Inc., Logitech USB Video Class Driver)
0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 4247552 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 52.16 )
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2189056 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2189056 bytes
0x804D7000 RAW 2189056 bytes
0x804D7000 WMIxWDM 2189056 bytes
0xBF800000 Win32k 1847296 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1847296 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF6C04000 C:\WINDOWS\System32\DRIVERS\nv4_mini.sys 1466368 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 52.16 )
0xF6ABF000 C:\WINDOWS\system32\DRIVERS\BCMSM.sys 1101824 bytes (Broadcom Corporation, Modem Device Driver)
0xF758D000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF2B89000 C:\WINDOWS\system32\Drivers\CVPNDRVA.sys 503808 bytes (Cisco Systems, Inc., Cisco Systems VPN Client IPSec Driver)
0xF50CC000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF6955000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xF51D9000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xF2A47000 C:\WINDOWS\System32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
0xF6A56000 C:\WINDOWS\system32\drivers\emu10k1m.sys 286720 bytes (Creative Technology Ltd., Creative SB Live! Adapter Driver)
0xF1DE3000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF76D4000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xF2CF4000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF7560000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xF2584000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xF5164000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF51B1000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF50A6000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xF6A32000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF6BCC000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF25AF000 C:\WINDOWS\system32\drivers\aec.sys 143360 bytes (Microsoft Corporation, Microsoft Acoustic Echo Canceller)
0xF6A9C000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xF518F000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806EE000 ACPI_HAL 131840 bytes
0x806EE000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF766C000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF76A4000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF6A03000 C:\WINDOWS\system32\DRIVERS\dne2000.sys 110592 bytes (Deterministic Networks, Inc., Deterministic Network Enhancer)
0xF7546000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF768C000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF3767000 C:\WINDOWS\System32\DLA\DLAUDFAM.SYS 98304 bytes (Sonic Solutions, Drive Letter Access Component)
0xF497E000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF762D000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF69EC000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xF377F000 C:\WINDOWS\System32\DLA\DLAIFS_M.SYS 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0xF3751000 C:\WINDOWS\System32\DLA\DLAUDF_M.SYS 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7644000 DRVMCDB.SYS 90112 bytes (Sonic Solutions, Device Driver)
0xF25D2000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF6A1E000 C:\WINDOWS\System32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF6BF0000 C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xF5232000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF761A000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF765A000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF76C3000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF69DB000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF6D9A000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF78C3000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF7893000 C:\WINDOWS\System32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF7873000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF78D3000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF5026000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF7953000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF28EF000 C:\WINDOWS\system32\drivers\swmidi.sys 57344 bytes (Microsoft Corporation, Microsoft GS Wavetable Synthesizer)
0xF7763000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF28DF000 C:\WINDOWS\system32\drivers\DMusic.sys 53248 bytes (Microsoft Corporation, Microsoft Kernel DLS Synthesizer)
0xF6D8A000 C:\WINDOWS\System32\DRIVERS\HPZid412.sys 53248 bytes (HP, IEEE-1284.4-1999 Driver (Windows 2000))
0xF78A3000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF78E3000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7743000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF7903000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7783000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)
0xF7993000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF78B3000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7733000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF78F3000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF5006000 C:\WINDOWS\System32\Drivers\DRVNDDM.SYS 40960 bytes (Sonic Solutions, Device Driver Manager)
0xF7723000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF7943000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF299F000 C:\WINDOWS\System32\DRIVERS\secdrv.sys 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0xF7923000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF7843000 C:\WINDOWS\System32\Drivers\vbma3a2b.SYS 40960 bytes
0xF7863000 C:\WINDOWS\System32\DRIVERS\AN983.sys 36864 bytes (ADMtek Incorporated., ADMtek AN983/AN985/ADM951X NDIS5 Driver)
0xF7753000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7853000 C:\WINDOWS\System32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF7913000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF7973000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF1C3B000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF7773000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF7883000 C:\WINDOWS\system32\drivers\sfmanm.sys 36864 bytes (Creative Technology Ltd., SoundFont(R) Manager)
0xF77B3000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF7ADB000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF79E3000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF79EB000 C:\WINDOWS\System32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF7AD3000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7A63000 C:\WINDOWS\System32\DLA\DLABOIOM.SYS 28672 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7AE3000 C:\WINDOWS\System32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF79A3000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF79FB000 C:\WINDOWS\System32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
0xF7A0B000 C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF79CB000 C:\WINDOWS\System32\Drivers\DLARTL_N.SYS 24576 bytes (Sonic Solutions, Shared Driver Component)
0xF7AFB000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF7A03000 C:\WINDOWS\System32\DRIVERS\HPZius12.sys 24576 bytes (HP, 1284.4<->Usb Datalink Driver (Windows 2000))
0xF7AEB000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF7AF3000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7ACB000 C:\WINDOWS\System32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF79D3000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF7B2B000 C:\WINDOWS\System32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF7A1B000 C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys 20480 bytes (-, -)
0xF79DB000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF79AB000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7B0B000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7B13000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xF7B03000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF7A23000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF37F9000 C:\WINDOWS\System32\DLA\DLAOPIOM.SYS 16384 bytes (Sonic Solutions, Drive Letter Access Component)
0xF69BB000 C:\WINDOWS\System32\DRIVERS\HPZipr12.sys 16384 bytes (HP, IEEE-1284.4-1999 Print Class Driver)
0xF7BB7000 C:\WINDOWS\system32\drivers\MODEMCSA.sys 16384 bytes (Microsoft Corporation, Unimodem CSA Filter)
0xF747E000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF374D000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7C13000 C:\WINDOWS\System32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF7BFF000 C:\WINDOWS\System32\DRIVERS\usbscan.sys 16384 bytes (Microsoft Corporation, USB Scanner Driver)
0xF7B33000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF527D000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF7C0F000 C:\WINDOWS\System32\DRIVERS\gameenum.sys 12288 bytes (Microsoft Corporation, Game Port Enumerator)
0xF7C1B000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF7BD7000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7BBB000 C:\WINDOWS\System32\Drivers\vulfntr.sys 12288 bytes (VIA Technologies, Inc., VIA USB Roothub Lower Filter Driver)
0xF7BDF000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0xF7C97000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7C87000 C:\WINDOWS\system32\drivers\ctlfacem.sys 8192 bytes (Creative Technology Ltd., Creative SB Live! Interface Driver)
0xF7C89000 C:\WINDOWS\System32\Drivers\DLACDBHM.SYS 8192 bytes (Sonic Solutions, Shared Driver Component)
0xF7C43000 C:\WINDOWS\System32\DLA\DLAPoolM.SYS 8192 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7CCB000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7C95000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7C23000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7C99000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7CDF000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF7C9B000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7CB9000 C:\WINDOWS\system32\drivers\splitter.sys 8192 bytes (Microsoft Corporation, Microsoft Kernel Audio Splitter)
0xF7C8B000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7C93000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7C85000 C:\WINDOWS\System32\Drivers\vulfnth.sys 8192 bytes (VIA Technologies, Inc., VIA USB Host Controller Lower Filter Driver)
0xF7C25000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7D5C000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7D58000 C:\WINDOWS\System32\DRIVERS\ctljystk.sys 4096 bytes (Creative Technology Ltd., Creative Joyport Enabler)
0xF7DFB000 C:\WINDOWS\System32\DLA\DLADResN.SYS 4096 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7CF9000 C:\WINDOWS\system32\drivers\drmkaud.sys 4096 bytes (Microsoft Corporation, Microsoft Kernel DRM Audio Descrambler Filter)
0xF7D13000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7D0B000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7CEB000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0x86E4F109 unknown_irp_handler 3831 bytes
==============================================
>Stealth
==============================================
WARNING: File locked for read access [C:\WINDOWS\system32\drivers\vbma3a2b.sys]
psbsubs4
2011-01-06, 15:18
This is some follow-up to the prior post so please also see the prior post. Two items.
1. The rootkit instructions were just about scanning so I did not do any repair steps. Just wanted to be sure I was doing the right thing there.
2. When a repair is done and a reboot is required, is there a rule of thumb whether or not to reboot in normal vs. safe mode? That is, does a reboot into safe mode bypass whatever pending update there is that required a reboot in the first place and therefore I should do those reboot by booting into a normal session?
Hi,
There was nothing to repair so your fine.
You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)
Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see. If the site says this file has been checked before, have them check it again
C:\WINDOWS\system32\drivers\vbma3a2b.sys <--This file
If the site is busy you can try this one
http://virusscan.jotti.org/en
psbsubs4
2011-01-07, 00:13
When I did that, the VirusTotal screen "went dark" and a window popped up that said
SENDING FILE
Do not close this window until the upload ends. The time required for this operation depends on the file size, the net load and your connection speed
then the pop up window closed, the "darkness" goes away to where I see the regular VirusTotal screen but nothing happens. There is no report, no message, no query to get an e-mail address from me to send a report to. It is as if I had never uploaded the file at all.
Am I doing something wrong or is the virus intercepting what I am trying to do?
I tried to zip the file and attach it to this post for the zip process got an error. The log for the zip process says
Action: Add (and replace) files Include subfolders: yes Save full path: no
Include system and hidden files: yes
Adding vbma3a2b.sys
Warning: could not open for reading: C:\WINDOWS\system32\drivers\vbma3a2b.sys
copying Zip file
Hi,
I did not ask you to zip and attach the file, what am I going to do with it. I just need you to upload it to a site to be checked.
Try the second link I posted if VirusTotal won't work
psbsubs4
2011-01-07, 12:53
I did the choose file then submit file and in the Status: / Upload progress: area it says
File is empty (0 bytes)!
which brings to mind the error that I got when trying to zip the file, which was
Warning: could not open for reading:
I bet these scanning sites are not able to open up the file.
Try this, I just want to make sure its not a legit file before we remove it
Download and Run SystemLook
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:file
vbma3a2b.sys
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
psbsubs4
2011-01-07, 23:56
The tool cannot find the file (and I verified that it is still there). I also tried the tool with the fully qualified path.
SystemLook 04.09.10 by jpshortstuff
Log created at 16:58 on 06/01/2011 by Paul Brown
Administrator - Elevation successful
========== file ==========
vbma3a2b.sys - Unable to find/read file.
-= EOF =-
SystemLook 04.09.10 by jpshortstuff
Log created at 16:58 on 06/01/2011 by Paul Brown
Administrator - Elevation successful
========== file ==========
C:\WINDOWS\system32\drivers\vbma3a2b.sys - Unable to find/read file.
-= EOF =-
The file is not zipped, its just an .exe file
If they wont work, try doing this in Safemode
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
Plug this into System Look
:file
C:\WINDOWS\system32\drivers\vbma3a2b.sys
Make sure to use Internet Explorer for this
Please go to VirSCAN.org FREE on-line scan service (http://virscan.org/)
Copy and paste the following file path, one at a time, into the "Suspicious files to scan" box on the top of the page
make sure the scan is complete and the results saved before submitting the next one.
C:\WINDOWS\system32\drivers\vbma3a2b.sys
Click on the Upload button
If a pop-up appears saying the file has been scanned already, please select the ReScan button.
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.
psbsubs4
2011-01-08, 02:27
Hi,
Tried w/ & w/o path in safe mode under admin ID. Same results. Cannot read file. Also, I cannot do the 2nd 1/2 of your instructions because IE was disabled in addition to SB S&D way back at the beginning of when all of this started. I have been using Google Chrome to access the internet.
SystemLook 04.09.10 by jpshortstuff
Log created at 19:28 on 07/01/2011 by Administrator
Administrator - Elevation successful
========== file ==========
C:\WINDOWS\system32\drivers\vbma3a2b.sys - Unable to find/read file.
-= EOF =-
SystemLook 04.09.10 by jpshortstuff
Log created at 19:29 on 07/01/2011 by Administrator
Administrator - Elevation successful
========== file ==========
vbma3a2b.sys - Unable to find/read file.
-= EOF =-
That may work with Chrome, not sure, give it a try
psbsubs4
2011-01-08, 04:19
It tells me "Error. Can't upload the file".
Also...
I thought I remembered that during one of my attempts early on to install SB S&D that it had the option to add a scan to a right click menu and I selected to do that.
I thought I would try it on this file that we are trying to check out. (Safe mode; admin ID.) The right click option was not there but there was one there for Malwarebytes. I tried that but it did not launch. I reinstalled the app, tried the right click on the file again and it launched the app and tried to scan. The status showed a few seconds ticking by (so the scan was "in progress") and then the application screen just disappeared (just like when doing a full scan.)
Lets not worry about that for the time being, lets run this program
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
psbsubs4
2011-01-08, 16:09
I cannot run the app (Safe mode; admin ID.)
A tiny window with no boarders and a progress bar opens. The progress bar goes all the way to the right, nothing else happens and then a few seconds later the tiny window goes away.
Regarding my last post, when I was in the Malware tool, I saw a tab or button or something that was a "File assassin". Should I try running that against the vbma3a2b.sys file?
Hi,
Removing this garbage can most times be very frustrating but hang in there and we will get it removed. I have been at the this close to 7 years and am affiliated with many malware forums, all of us helpers work together helping each other to remove this junk, what you have is a Rootkit, its new and I was not aware of it until a few hours ago. That file is bad but File Assassin would do no good as this infection will just put it back. Combofix will remove this infection but the rootkit is preventing it from running , so this is what you need to do.
Right Click on My Computer > Right Click on Properties > click Hardware > on the top click Tools > on the top click View
> click on Show Hidden Devices > look under Non-Plug and Play Drivers.
Look for vbma3a2b or vbma or something like [cmz vmkd], if found, Right Click on it and select Disable. <--Important...not delete
Then give Combofix another go
psbsubs4
2011-01-08, 18:59
Thanks for the encouraging words. I appreciate them. One of the blessings of children is that they teach patience. I stil have room for improvement but I like to think I have learned some over the years! So I am hanging in there! :-)
I think I got to the same place (BTW, I am running XP, SP3). Safe mode, Admin ID, My Computer, Properties, hardware, I clicked Device Manager, then View, then Show Hidden Devices. I do not see any of the file names that you have listed. Here is what I see:
(Hopefully I did not miss anything or have any typos.)
Typed once, verified once and again checked the spelling on all of the odd looking stuff.)
ADF Networking Support Environment
ASPI32
Beep
ceaf (with a caution sign on it)
Cisco systems inc, IPsec driver
Creative Interface Manager Driver (WDM)
Creative SOundFont Manager Driver (WDM)
dmboot
dmload
fips
Generic Packer Classifier
HTTP
IP Network Address Translator
IPSEC Driver
ksecdd
Logitech LVPr2Mon Driver
mnmdd <-- tripple checked the spelling
mountmgr
NDIS System Driver
NDIS Usermode I/O Protocol
NDProxy
NetBios over Tcpip
Normandy SR2
Null
ONSIO <-- tripple checked the spelling
PartMgr
ParVdm <-- tripple checked the spelling
RDPCDD <-- tripple checked the spelling
Remove access auto connection Driver
Remove access IP ARP Driver
SASDIFSV <-- tripple checked the spelling
SASKUTIL <-- tripple checked the spelling
Secdrv <-- tripple checked the spelling
TCP/IP Protocol Driver
VgaSave <-- tripple checked the spelling
VolSnap <-- tripple checked the spelling
vsdatant <-- tripple checked the spelling
Windows Drover Foundation - User-mode Driver Framework Platform Driver
Windows socket 2.0 non-IFS Service provider Support Environment
You may not have gone far enough
Right Click on My Computer > Right Click on Properties > click Hardware > on the top click Tools > on the top click View
> click on Show Hidden Devices > look under Non-Plug and Play Drivers.
psbsubs4
2011-01-09, 00:58
I do not have a "Tool" button to pick but I think I am getting to where you want me to go.... just another way...
I just forgot to say the Non-plug and Play Drivers part. I took a bmp pic of where I am at and zipped it. You can look at the attachment to see where I was at.
First reboot your system into normal windows and log in with your usual account, not adminstator and give it another look
Right Click on My Computer > Right Click on Properties > click Hardware > on the top click Tools > on the top click View
> click on Show Hidden Devices > look under Non-Plug and Play Drivers.
If you still dont see them look here
Device Manager under System Devices
When you find them right click and disable them and then give CF another try
psbsubs4
2011-01-09, 05:34
Normal logon (not safe mode) with normal ID (which has admin rights but is NOT the official "Administrator" account that I have been using when I boot into safe mode).
[cmz vmkd] was under System devices. I disabled it. Launched Combofix. It showed the same tiny window again and it seemed to get further in the install (the hour class would show, go away, come back, go away again ... did that about a 1/2 dozen times but then it still just stopped running (the tiny little window went away)). By tiny window, I mean tiny... just barely large enough for the progress bar to fit on. BTW, the progress bar goes all the way to the right like it did 100% of that particular part of the install and then after that is when the hour glass comes and goes like it is trying to do more of an install.
psbsubs4
2011-01-09, 05:38
See prior post. I am adding in here a zipped jpeg pic of the System Devices. BTW, neither of the VBMA items showed in the system devices area. Just the [cmz vmkd] one is what showed.
Well the file associated with this is randomly named so what you disabled is fine.
Now physically disconnect from the internet and STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
Click on your START button and choose Run. Then copy/paste the entire content of the following quotebox (Including the "" marks and the Symbols) into the run box.
Go to http://www.techsupportforum.com/sectools/tetonbob/StartBtn.gif -> Run -> copy/paste in the following single line command & click OK
"%userprofile%\desktop\combofix.exe" /killall
http://www.techsupportforum.com/sectools/tetonbob/killall.JPG
Click OK and this will start ComboFix in a special way.
When finished, it will produce a log. Please save that log to a Notepad File to post in your next reply along with a fresh HJT log.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
* After you have saved the logs, restart your system to re-enable all the programs that were disabled during the running of ComboFix.
* Reconnect to the internet
* Post the following logs/Reports:
ComboFix.txt
psbsubs4
2011-01-09, 22:52
Same problem. Small Combobox window just goes away. Tried in normal mode with my regular logon and in safe mode with the admin logon.
Run these programs in order please.
Please download exeHelper (http://www.raktor.net/exeHelper/exeHelper.com) to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
Please download rkill (Courtesy of Bleepingcomputer.com).
There are 5 different versions of this tool. If one of them will not run, please try the next one in the list.
Note: Vista and Windows 7 Users must right click and select "Run as Administrator" to run the tool.
Note: You only need to get one of the tools to run, not all of them.
1. rkill.exe (http://download.bleepingcomputer.com/grinler/rkill.exe)
2. rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com)
3. rkill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
4. WiNlOgOn.exe (http://download.bleepingcomputer.com/grinler/WiNlOgOn.exe)
5. uSeRiNiT.exe (http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe)
Note: You will likely see a message from this rogue telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message.
Run rkill repeatedly until it's able to do it's job. This may take a few tries.
You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.
The try Combofix again
psbsubs4
2011-01-10, 04:09
Hi,
Sometimes you have me run stuff in safe mode and other times in the normal log on. You did not say which to try these under. I tried them under the normal logon.
I ran exe helper. Did not need to run twice since I did not get the message you said I might get.
Here is the Exehelper log
exeHelper by Raktor
Build 20100414
Run at 21:01:56 on 01/09/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
I ran rkill (the first one) and Exployer cycled.
Here is the Rkill log
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Rkill was run on 01/09/2011 at 21:04:15.
Operating System: Microsoft Windows XP
Processes terminated by Rkill or while it was running:
\\.\globalroot\Device\svchost.exe\svchost.exe
C:\Documents and Settings\Paul Brown\My Documents\RCA Detective\RCADetective.exe
Rkill completed on 01/09/2011 at 21:04:30.
I see RCADetective. While I cannot remember what that is exactly, I have had it quite some time. It is part of something I installed and it has not been giving me trouble. I think it came with the software that I use to transfer my digital voice recorder files over to a CD. So, while I guess that a virus could potentially find the file and embed itself there, the file itself is not the virus because I had it long before the virus.
You did not say which way to run Combifix. I ran the version from the Start -> Run -> "%userprofile%\desktop\combofix.exe" /killall
I got the same results. That is, the tiny window, then it closed without finishing.
Good Morning,
You should run all the programs from your usual account , not administrator and try to run them first in normal windows, then safemode .
Bring up Task Manage using CTRL+ALT+DELETE. See if any of these processes are running ...Kill process on each one one at at time until CF runs
findstr
sed
grep.
nircmd.exe
nircmd.cfexe
swsc.cfexe
* .. or any other process that has the .cfexe extension except for CFxxx.cfexe
If ComboFix is still 'hung', then kill process on CFxxx.cfexe
psbsubs4
2011-01-10, 13:30
Good morning,
None of the processes you mentioned are running. I tried everything again in normal mode, same results, Combofix does not run. I tried everything again in safe mode, normal logon ID. Same results. I am attaching a pic of my task manager in a zipped file. I am inserting the exehelper and rkill logs.
exeHelper by Raktor
Build 20100414
Run at 06:26:55 on 01/10/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Rkill was run on 01/10/2011 at 6:28:13.
Operating System: Microsoft Windows XP
Processes terminated by Rkill or while it was running:
\\.\globalroot\Device\svchost.exe\svchost.exe
Rkill completed on 01/10/2011 at 6:28:18.
You need to click on Combofix to run and when it quits then go into taskmanager and see if those processes are running and kill them.
If that dont get it going than try this.
Open NOTEPAD.exe and copy/paste the text in the codebox below:
(don't forget to copy and paste REGEDIT4)
REGEDIT4
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\Eventlog]
"Start"=dword:00000004
Save this as fix.reg Choose to "Save type as - All Files"
Double click on fix.reg & allow it to merge into the registry
Reboot the machine once this is done and run combofix again.
Hi,
If you have not disabled Eventlog yet, hang off a bit.
Do this.
Backup Your Registry with ERUNT:
Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.Note: to restore your registry, go to the backup folder and start ERDNT.exe
Now where going to remove the bad entry from the windows registry
[cmz vmkd] <--Check System Services again and make sure this is disabled
Click "Start"> "Run"> type in Regedit tap Enter Key
Make sure "My Computer" is highlighted
Click "Edit"> "Find"
Type in [cmz vmkd] tap Enter Key.
Right Click on the file if found and select "Delete"
Tap the "F3" Key to find the next entry of the file. Continue using the "F3" Key until it's finished searching.
Close Regedit.
Then try CF again
psbsubs4
2011-01-11, 01:43
Per your instructions in post #48, I skipped post #47.
Logged onto XP normally using my normal ID
You did not way what options to select in ERUNT so I backed up once using Sys Reg + Current User and again using all three check boxes (cannot recall the name of the third one... something like all other)
The bad boy was not disabled under system devices. I disabled it.
Tried RegEdit. Found it in 6 places but I was prevented from deleting any of them. (Do not recall the exact text but after I right clicked and selected delete, it said something to the order that I cannot or was not able to delete the files.
Want you to know that with this being new and hard to remove we have a lot of helpers looking in to see how to remove it.
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:regfind
[cmz vmkd]
:filefind
[cmz vmkd]
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
psbsubs4
2011-01-11, 04:09
I am thankful for all of the great minds that are working on this. I appreciate it. Hopefully I am giving you good feedback that you can use to help other people in the future.
The program ran for a while and then just closed. Here is the contents of the log:
SystemLook 04.09.10 by jpshortstuff
Log created at 20:47 on 10/01/2011 by Paul Brown
Administrator - Elevation successful
========== regfind ==========
Searching for "[cmz vmkd]"
Suspecting that the program was killed, and judging that there are two commands, I thought I would try to run them individually. However, when I tried to launch the program, it did not open again. Did not give me the "cannot file file" error though either.
I am suspecting that one of the commands is you wanting to know the registry locations. Therefore, the registry search you had me do previously, I did again Not wanting to try and write them down since reg keys are so messy, I made screen shots of the keys. Since I am in my regular logon (where I have handy screen capture software), I am going to make three pics (each holding two of the 6 key locations) and then open all three pics and make one pic and send that to you. That way, you can see it all in one nice spot.
I cannot recall if you askedpreviously for a registry search on vbma3a2b or if I just did it out of curiosity but I went ahead and searched again for it now. The value is in a lot of places so I will not be able to combine them all in one pic. Instead, there will be a set of 12 pics showing the different registry locations/values.
You should have put both in SystemLook as per instructions, it will take multiple entries
Lets try deleting vbma3a2b , again, back up your registry with ERUNT
Click "Start"> "Run"> type in Regedit tap Enter Key
Make sure "My Computer" is highlighted
Click "Edit"> "Find"
Type in vbma3a2b tap Enter Key.
Right Click on the file if found and select "Delete"
Tap the "F3" Key to find the next entry of the file. Continue using the "F3" Key until it's finished searching.
Close Regedit.
DO NOT REBOOT and give CF another try
psbsubs4
2011-01-11, 13:10
Sorry I was not clear enough on the last post. I DID try both commands at the same time. That is when/how the screen died.
In hopes of getting a partial log, I was then going to try one command at a time hoping that at least one of the two commands might succeed by itself. For example, perhaps the screen got through the first command and died on the second command so if I could the first one to run, then I could get that part of the log created.
I tried to delete vbma3a2b in the registry but was prevented from doing so. The message it gave was "Unable to delete all specified values"
Try this in Safemode
Disable or uninstall the [cmz vmkd] in device manager
Run regedit and try deleting the vbma3a2b entries again
Exit regedit and run CF
psbsubs4
2011-01-12, 00:51
Safe mode; admin ID (not my ID with Admin auth):
Disabled in device manager.
Still cannot delete in the registry.
Also tried to delete [cmz vmkd] in the registry and could not delete that either.
Do you think you can follow this. What you have is a brand new rootkit and its very hard to remove
http://supportforums.sunbeltsoftware.com/messageview.aspx?catid=76&threadid=6635
psbsubs4
2011-01-12, 04:46
I started to follow the instructions and a few things are coming up.
1. Back in the beginning, when the problem first started, I did have some Antivirus2010 windows popping up. I cannot recall but they probably had an OK button or something like that on them but I DO know that whatever the content of the window, I DID NOT interact with it. I closed the window with the "X" in the top right or down on the task bar.
2. I then went to control panel and uninstalled AC2010.
3. Yes, I realize that this was probably critical information that I should have put in my original post. My bad. Sorry about that. It is just that is seemed to "uninstall" so easily from control panel and then I had so much trouble with Net Nanny and SB S&D that I lost sight of the AV2010. Since the AV2010 windows never came back up anymore, I forgot all about it by the time I was creating my post.
4. When I started to following the instructions at
http://supportforums.sunbeltsoftware.com/messageview.aspx?catid=76&threadid=6635
there is a point that talks about
us?rinit.exe
I do not have that file (and yes, I tried DIR at the CMD and it did NOT show up.)
5. I wonder if the reason that us?rinit.exe in #4 (the point just above this one) did not show is because of what I did in #2 (further up in the this post) ????
6. I continued following the instructions for
http://supportforums.sunbeltsoftware.com/messageview.aspx?catid=76&threadid=6635
but when I got to the regedit part, I did NOT have
HKLM\System\CurrentControlSet\Services\Userinit
I have
HKLM\System\CurrentControlSet\Services\usbvideo
then
HKLM\System\CurrentControlSet\Services\vbma3a2b
No userinit inbetween them
6. Should I proceed with the instructions just skipping the parts that do not apply?
7. Also, should this be done under my normal login or safe mode/admin or what?
8. I scanned ahead on the instructions.
RE: [Drag each of the files in the list of "failed to open" files onto "inherit.exe" and click "ok" when prompted.]
I am not too sure what that means. Does that mean to launch/install Inherit.exe and some window will open and I drag the files into that window?
9. Of the 4 tools to be downloaded, one references gmer.net but I do not see in the instructions anywhere where that is to be used.
Good Morning, this is a real doozy to remove. Been at this a long time and this junk is getting harder and harder to remove.
Sometimes its best to back up your important data to a CD and reformat the drive and reinstall windows, this guarantees a 100% clean computer, but this is your call if you want to proceed with a reinstall.
The purpose of Inherit is that when a program is dragged into it it resets permissions that malware has reset so the tool will run. Sometimes it works and sometimes no.
GMER is run as a final scan to make sure its gone.
I have a few people looking this over, before we proceed let me look into a few things
What I would like you to do is to drag Combofix to the trash and we are going to download a fresh copy renamed.
But first do this, this picture shows it disabled but what you need to do is uninstall it
http://i24.photobucket.com/albums/c30/ken545/AV2010_devicemgr.png
Then this
Go to START > RUN - copy and paste usrini~1.exe /uninstall Then Enter
Then CF renamed
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
psbsubs4
2011-01-12, 23:03
Hi - I have a question before I proceed with the contents of post #59.
In Post #57, I had a question in point #8
QUOTE from my post, post #57
RE: [Drag each of the files in the list of "failed to open" files onto "inherit.exe" and click "ok" when prompted.]
I am not too sure what that means. Does that mean to launch/install Inherit.exe and some window will open and I drag the files into that window?
END-QUOTE
and in Post #58 you told me the purpose of the program but I was looking for more of a "what am I supposed to see" and "just how am I supposed to do it answer".
QUOTE from your post, post #58
The purpose of Inherit is that when a program is dragged into it it resets permissions that malware has reset so the tool will run. Sometimes it works and sometimes no.
END-QUOTE
My question is about the mechanics of using Inerit.exe. When I get to the part of the instructions that says
[Drag each of the files in the list of "failed to open" files onto "inherit.exe" and click "ok" when prompted.]
Does that mean that I do the install (and then execute) at that time (becuase I do not see any instructions for when to do the install)?
And, when it is running, just what am I dragging into the tool? Am I supposed to open up explorer, navigate to the file reported in Junction's log.txt file and drop it into there as if I were doing a file move?
Or. am I supposed to cut the text out of Junction's Log.txt file and paste it into the Inherit.exe window. And, if I am to do a cut and paste, how much of the text from the log am I to copy in? That is, if the log shows
Failed to open \\?\c:\\path\file: Access is denied.
do I copy/paste in
\\?\c:\\path\file (with both double \\'s?)
or
c:\\path\file (with the double \\ or a single \?)
or
Some some other sub-string of the log listing?
You don't need Inherit right now, just proceed with the instructions in my previous post
psbsubs4
2011-01-13, 01:15
Normal boot, my ID:
When I try Start -> Run -> usrini~1.exe /uninstall
I get told not found.
I went to C:\Windows and search for
*usrini*
(and I have it set to show hidden files & folders)
and it did not find anything. I then tried searcing for
*userini* (Added an "e" to the name) and found a few hits. See zipped screen shot of the hits and advise how I need to proceed.
Thanks
Thats fine, its most likely gone, you may have removed it when you said you tried to uninstall the program prior to posting, just go ahead with the rest of the fix
psbsubs4
2011-01-13, 03:38
I think CF almost worked. It seemed to work up to the reboot. Then it rebooted. Then it ran for a while building the log after the reboot. However, after a time, I got one of those "program abended, do you want to notify Microsoft" notices for pev-cfxxe. I am pasting below the CF log and I am attaching a zip file of a pic of the program abend / notify MS thing (I also had it show the details and included that in the screen shot as well).
ComboFix 11-01-11.03 - Paul Brown 01/12/2011 20:06:19.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.515 [GMT -6:00]
Running from: c:\documents and settings\Paul Brown\Desktop\Combo-Fix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\.wtav
c:\program files\Gamevance
c:\program files\QUAD Utilities
c:\program files\QUAD Utilities\QUAD Registry Cleaner\QUAD Registry Cleaner Help.chm
C:\Thumbs.db
c:\windows\assembly\GAC\__AssemblyInfo__.ini
c:\windows\jestertb.dll
c:\windows\system32\drivers\vbma3a2b.sys
c:\windows\system32\eventmgr.exe
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_vbma3a2b
((((((((((((((((((((((((( Files Created from 2010-12-13 to 2011-01-13 )))))))))))))))))))))))))))))))
.
2011-01-11 23:54 . 2011-01-11 23:54 38400 ------w- c:\windows\system32\fdrv2.sys
2011-01-05 02:27 . 2011-01-05 23:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-01-04 12:32 . 2011-01-04 12:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-01-04 12:32 . 2011-01-04 12:32 -------- d-----w- c:\documents and settings\Paul Brown\Application Data\SUPERAntiSpyware.com
2011-01-03 23:58 . 2011-01-03 23:58 -------- d-----w- c:\documents and settings\Paul Brown\Application Data\Malwarebytes
2011-01-03 23:57 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-03 23:57 . 2011-01-03 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-03 23:57 . 2011-01-08 03:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-03 23:57 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-31 06:26 . 2010-12-31 06:26 -------- d-----w- c:\documents and settings\Administrator
2010-12-29 00:43 . 2010-12-29 00:44 -------- d-----w- c:\program files\ERUNT
2010-12-28 23:43 . 2011-01-03 23:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-12-28 22:31 . 2010-12-28 22:32 -------- d-----w- c:\program files\ContentWatch
2010-12-28 22:31 . 2010-12-28 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\ContentWatch
2010-12-28 00:55 . 2010-12-28 00:55 -------- d-----w- c:\documents and settings\Z Emer Admin\Local Settings\Application Data\HP
2010-12-28 00:55 . 2010-12-28 00:55 -------- d-----w- c:\documents and settings\Z Emer Admin\Local Settings\Application Data\Apple Computer
2010-12-28 00:55 . 2010-12-28 00:55 -------- d-----w- c:\documents and settings\Z Emer Admin\Application Data\Apple Computer
2010-12-28 00:31 . 2010-12-28 00:31 75264 ----a-w- c:\windows\system32\dcaf.sys
2010-12-28 00:28 . 2011-01-11 12:00 75264 ----a-w- c:\windows\system32\ceaf.sys
2010-12-25 20:19 . 2010-12-25 20:23 -------- d-----w- c:\documents and settings\Paul Brown\Application Data\Apple Computer
2010-12-25 20:17 . 2009-05-18 19:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-12-25 20:17 . 2008-04-17 18:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-12-25 20:16 . 2010-12-25 20:16 -------- d-----w- c:\program files\iPod
2010-12-25 20:16 . 2010-12-25 20:17 -------- d-----w- c:\program files\iTunes
2010-12-25 20:16 . 2010-12-25 20:17 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-12-25 20:15 . 2010-12-25 20:15 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2010-12-25 20:15 . 2010-12-25 20:15 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2010-12-25 20:15 . 2010-12-25 20:15 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2010-12-25 20:15 . 2010-12-25 20:15 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2010-12-25 20:14 . 2010-12-25 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-12-25 20:14 . 2010-12-25 20:14 -------- d-----w- c:\documents and settings\Paul Brown\Local Settings\Application Data\Apple
2010-12-25 20:14 . 2010-12-25 20:14 -------- d-----w- c:\program files\Apple Software Update
2010-12-25 20:13 . 2010-12-25 20:13 -------- d-----w- c:\program files\Bonjour
2010-12-25 20:12 . 2010-12-25 20:16 -------- d-----w- c:\program files\Common Files\Apple
2010-12-25 20:12 . 2010-12-25 20:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-12-25 20:10 . 2010-12-25 20:19 -------- d-----w- c:\documents and settings\Paul Brown\Local Settings\Application Data\Apple Computer
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-15 20:37 . 2010-03-04 02:23 81920 ----a-w- c:\windows\system32\wxcode_msw28u_wxjson_CW.dll
2010-12-15 20:36 . 2010-03-04 02:23 1073152 ----a-w- c:\windows\system32\wxcode_msw28u_wxcurl_CW.dll
2010-12-15 20:34 . 2010-03-04 02:23 975872 ----a-w- c:\windows\system32\libxml2_CW.dll
2010-12-15 20:30 . 2009-01-02 18:47 151552 ----a-w- c:\windows\system32\libexpat.dll
2010-12-15 04:09 . 2010-03-04 02:23 720384 ----a-w- c:\windows\system32\cwalsp.dll
2010-12-15 04:09 . 2010-03-04 02:23 1884160 ----a-w- c:\windows\system32\AltaRecovery.exe
2010-11-29 23:38 . 2010-11-29 23:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38 . 2010-11-29 23:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-28 01:52 . 2007-12-31 02:24 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
.
------- Sigcheck -------
[7] 2009-06-29 . 3CFC56F73D494FC1AA2B6E981DF15ACD . 634632 . . [7.00.6000.16876] . . c:\windows\system32\dllcache\iexplore.exe
[7] 2009-06-29 . 02E2754D3E566C11A4934825920C47DD . 634632 . . [7.00.6000.21073] . . c:\windows\$hf_mig$\KB972260-IE7\SP3QFE\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ie7\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\iexplore.exe
[7] 2007-08-13 . DE49B348A18369B4626FBA1D49B07FB4 . 622080 . . [7.00.5730.13] . . c:\windows\ie7updates\KB972260-IE7\iexplore.exe
[7] 2004-08-04 . E7484514C0464642BE7B4DC2689354C8 . 93184 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\iexplore.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-15 202024]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-12-14 2424560]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"nwiz"="nwiz.exe" [2003-10-06 741376]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-05-04 550232]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-13 127036]
"cwcptray"="c:\program files\ContentWatch\Internet Protection\cwtray.exe" [2010-12-15 354112]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
c:\documents and settings\Rachel\Start Menu\Programs\Startup\
Shortcut to WinSnow98.lnk - f:\documents\Long-Term-All-3\2009-07-30\Download\WinSnow98.exe [N/A]
c:\documents and settings\Paul Brown\Start Menu\Programs\Startup\
ClearPlay Easy Updates.lnk - c:\program files\ClearPlay\ClearPlay Easy Updates\ClearPlayEasyUpdates.exe [2008-3-4 1540096]
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2008-2-11 303104]
FastStone Capture.lnk - c:\program files\FastStone Capture\FSCapture.exe [2007-2-12 1111552]
Forget Me Not.lnk - c:\program files\Mindscape\AGSpirit\PMREMIND.EXE [2009-10-26 346624]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]
RCA Detective.lnk - c:\documents and settings\Paul Brown\My Documents\RCA Detective\RCADetective.exe [2009-10-19 1069056]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 734872]
Event Reminder.lnk - c:\program files\Broderbund\PrintMaster\PMremind.exe [2009-2-14 331776]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
VPN Client.lnk - c:\windows\Installer\{6DC47739-3BB0-4494-A43D-193BF54070AE}\Icon3E5562ED7.ico [2009-1-13 6144]
WinZip Quick Pick.lnk - c:\z-software-for-installs\Winzip\WZQKPICK.EXE [2011-1-3 106560]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=
R1 ceaf;ceaf; [x]
R2 CwAltaService20;ContentWatch;c:\program files\ContentWatch\Internet Protection\cwsvc.exe [2010-12-15 2109440]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-20 136176]
R3 pohci13F;pohci13F;c:\docume~1\PAULBR~1\LOCALS~1\Temp\pohci13F.sys [x]
R3 scsiscan;SCSI Scanner Driver;c:\windows\system32\DRIVERS\scsiscan.sys [2008-04-13 11520]
S1 fdrv2;fdrv2;c:\windows\system32\fdrv2.sys [2011-01-11 38400]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2010-11-24 88176]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
2011-01-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-25 12:20]
2011-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-20 11:27]
2011-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-20 11:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
Trusted Zone: ameren.com
Trusted Zone: brownshoe.com
Trusted Zone: clearplay.com
Trusted Zone: hp.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: VPNJava - hxxps://remote.brownshoe.com/CACHE/stc/1/binaries/VPNJava.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://remote.brownshoe.com/CACHE/stc/1/binaries/vpnweb.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-12 20:18
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1645522239-602609370-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(744)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(2232)
c:\windows\system32\WININET.dll
c:\windows\system32\nView.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\windows\BCMSMMSG.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\windows\system32\devldr32.exe
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\imapi.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2011-01-12 20:31:00 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-13 02:30
Pre-Run: 6,289,784,832 bytes free
Post-Run: 7,447,400,448 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
- - End Of File - - 3CB2FFB62DDA788633CA8EDFBCB8B97A
Good Morning,
Paydirt, you finally got it to run and it removed what we wanted it to. I need to look over your log real close to see if there is more to remove , in the meantime run this program.
Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please
psbsubs4
2011-01-13, 13:12
Good morning,
MB ran, found three items and needed to reboot (which I did). I will post the log below. After the reboot, I ran the quick scan again and MB abended just like combo fix did after the reboot. That is, I got a "MS anti-MW has encountered a problem and needs to close. We are sorry for the inconvenience" and had the send/don't send buttons. (And since it abended, there is not a 2nd log.)
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5510
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
01/13/2011 6:01:12 AM
mbam-log-2011-01-13 (06-01-12).txt
Scan type: Quick scan
Objects scanned: 251845
Time elapsed: 6 minute(s), 11 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\GamevanceText.DLL (Adware.GameVance) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\system32\dcaf.sys (Backdoor.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\ceaf.sys (Backdoor.Agent) -> Quarantined and deleted successfully.
psbsubs4
2011-01-13, 13:20
Please See prior post.
I did NOT reboot after THAT post and I ran the MW scan again and no errors showed up. I am going to launch a full scan now but I do not know how long it will take so I might have to leave to go to work before it completes.
Do this and then let me know how things are running now ?
ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.
Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.
psbsubs4
2011-01-13, 14:20
Hi,
Just got back to my Computer before heading off to work. The full MW scan found more stuff.
I DID NOT click remove selected because I wanted your input before proceeding.
I did say create log and will post it below.
The MW tool is still open and waiting for either repair or abort.
Please let me know if I should continue with the repair and then do what you put in post #68 or if I should abort and go straight to your instructions in post #68
Here is the log from the full scan:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5510
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
01/13/2011 7:19:43 AM
mbam-log-2011-01-13 (07-19-10).txt
Scan type: Full scan (C:\|)
Objects scanned: 312853
Time elapsed: 52 minute(s), 33 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 168
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Qoobox\quarantine\C\WINDOWS\WinSxS\x86_microsoft.windows.shell.hweventdetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll.vir (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1009\A0159296.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1009\A0159308.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1009\A0159318.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1009\A0160308.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1009\A0160317.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1009\A0160327.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1009\A0160351.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1009\A0160352.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1009\A0160359.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1009\A0160362.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1009\A0160370.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1009\A0160436.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1009\A0160446.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1010\A0160664.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1010\A0160670.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1010\A0160672.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1010\A0160678.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1012\A0160842.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1012\A0160848.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1012\A0160850.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1012\A0160856.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1012\A0160858.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1012\A0160862.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1012\A0160867.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1012\A0160875.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1012\A0160885.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1013\A0160933.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161104.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161252.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161059.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161063.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161073.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161081.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161091.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161094.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161113.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161159.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161169.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161171.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161176.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161181.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161191.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161195.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161200.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161205.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161217.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161220.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161230.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161237.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161247.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161257.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161271.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161276.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161286.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161298.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161308.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161310.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161320.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161322.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161327.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161330.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161340.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161345.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161350.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161363.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161374.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161389.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161394.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161405.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1014\A0161415.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1015\A0161417.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1015\A0161426.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1015\A0161465.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1015\A0161476.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1015\A0161501.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1015\A0162501.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1015\A0162512.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162530.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162535.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162540.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162545.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162547.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162558.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162595.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162601.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162607.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162561.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162597.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162723.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162813.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162638.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162643.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162672.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162674.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162708.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162735.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162745.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162749.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162778.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162780.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162790.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162800.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162802.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162818.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162820.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162830.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162832.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162842.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162847.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162857.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162859.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162869.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162873.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1016\A0162883.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1017\A0162937.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1017\A0162886.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1017\A0162891.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1017\A0162894.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1017\A0162913.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1017\A0162918.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1017\A0162920.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1017\A0162925.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1017\A0162927.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1017\A0162932.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1017\A0162939.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1017\A0162944.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1017\A0162949.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1017\A0162959.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1017\A0162969.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0162973.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0162979.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163074.sys (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163075.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163437.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163082.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163157.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163162.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163237.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163248.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163249.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163259.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163336.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163341.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163343.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163353.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163428.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163432.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1018\A0163518.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163533.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163542.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163545.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163555.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163561.sys (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163566.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163570.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163580.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163587.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163597.sys (Backdoor.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163673.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163682.sys (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163689.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163694.sys (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163699.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163705.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163710.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1019\A0163725.dll (Trojan.Agent.Max) -> No action taken.
c:\system volume information\_restore{8fe47a0f-d0fc-4a6a-8d5a-0f39b29ba69f}\RP1020\A0163989.dll (Trojan.Agent.Max) -> No action taken.
Hi,
All that Malwarebytes found where in your System Restore program, there harmless unless you try to restore your computer to an earlier date than you take the chance of becoming infected again. There was also one entry in Qoobox which is a back up of what Combofix removed. Malwarebytes is one of the better programs to come along in quite awhile , it just removes bad stuff, nothing legit .
My instructions for Malwarebytes
Be sure that everything is checked, and click Remove Selected .
I would not have posted this if I wanted you to abort the program. You need to run Malwarebytes again and remove all it finds.
Then to be sure its all gone do this
System Restore is a component of Microsoft's Windows Me, Windows XP, Windows Vista and Windows 7 operating systems that allows for the rolling back of system files, registry keys, installed programs, etc., to a previous state in the event of malfunctioning or failure. Old restore points can be a source of re-infection.
Please follow the steps below to create a clean restore point:
Click Start > Run > copy and paste the following into the run box:
%SystemRoot%\System32\restore\rstrui.exe
Press OK. Choose Create a Restore Point then click Next.
Name it (something you'll remember) and click Create.
When the confirmation screen shows the restore point has been created click Close.
Then remove all previous Restore Points
Click Start > Run > copy and paste the following into the run box:
cleanmgr
Choose to scan drive C:\ (if C:\ is your main drive).
At the top, click on More Options tab. Click the Clean up... button in the System Restore box.
Click on the Yes button.
When finished, click on Cancel button to exit.
We will remove Qoobox when where done.
So go ahead and run MBAW removing what it finds and post the report, then run the System Restore program, there is no report for this.
After you have done the above go ahead and run ESET
psbsubs4
2011-01-14, 03:34
Hi - I finished the exec of MWB to remove the bad stuff. Rebooted. Ran a full scan. All clean. I will post the log below. I created the sys restore point and deleted the old points per your instructions. After this post, I will run ESET and post those results as well.
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5510
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
01/13/2011 7:21:52 PM
mbam-log-2011-01-13 (19-21-52).txt
Scan type: Full scan (C:\|E:\|F:\|G:\|)
Objects scanned: 346183
Time elapsed: 1 hour(s), 48 minute(s), 9 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
psbsubs4
2011-01-14, 13:52
Good morning,
Please see prior post for the run of MWB. Below is the contents of the ESET log.
Thanks
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_vbma3a2b_.sys.zip a variant of Win32/Rootkit.Kryptik.CK trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\DOH1BRDG\script_card[1] Win32/Adware.Antivirus2010 application
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\XG2318XA\uninstall[1] Win32/Adware.Antivirus2010 application
That bad file is in the Combofix back up folder and the other two are in your Temporary Internet Files..
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
Now open up OTL and click on Cleanup and it will remove all the tools we used to clean your system along with there backups.
How is your computer behaving now ?
psbsubs4
2011-01-14, 17:49
Hi,
Ran ATF & OTL. Nothing odd happened with either of them so I suppose that they did what they needed to do.
Regarding the computer running.
SB S&D - I was having trouble with it at the start of the post and we have not done anything with it since then so I assume that I need to uninstall (if applicable) and reinstall. I am ready to do that if you think it is time to try it.
Avast - Same as SB S&D. Shall I try a un/reinstall?
IE7 - Same as SB S&D. In days gone by, I seem to recall that IE could not be uninstalled for a reinstall. I looked in add/remove back at the start of all of this trouble to see if it had a repair option but I did not see it. How do I get IE7 running again. (Note: I cannot recall if my computer will not handle IE8 or I just have not had time to look into it but I would prefer to stick with IE7 for now and deal with IE8 at another time.) How do I get IE7 running again?
MS Word (which I have only tried a little bit) acts as if I launched the document twice. That is, it opens, and then the screen "blinks" and I get a notice/window that talks the file being in use and asking if I want to make a copy.
By "blink", I mean the screen does some sort of change/blanks or something real quick but then the screen is back to what it was before.
MS Excel does the same thing (which I have only tried a little more than MS Word). Excel acts like word some of the time and other times, it just "blinks" but does not give the notice about trying to open the file again.
Other apps - I have not tried other stuff. I have had the computer turned off unless I was doing something related to repair so as to limit the virus having access to stuff. I have only started opening the MS documents the last day or two after we got through a couple of good scans. (I have not tried to make any changes or do any saves or creates).
Note: Of course all of my application settings are on C:\ as well as some of my apps saved data (because they do not give the choice to save anywhere besides C:\). At the same time though, I have a lot of data on a separate hard drive that I removed at the first sign of trouble and just recently added back in so that it could be part of the full blown MWB scan.
Ditto for the hard drive that I used to back up my data.
Ditto for a flash drive that I used a little bit because at the very beginning of all of this, I was posting on my win 98 machine, downloading files to the flash and transferring them to the this XP machine (the trouble machine) to do our work. Then I realized that Google Chrome would work on the XP machine and did not need to use the Win 98/flash drive stuff any more.
I know all three of these extra drives were part of the MWB scan because I was able to list them as drives to scan. However, I could not tell if the on-line scan checked these other three drives through. Is there something extra that we should run against these drives or do you think that the MWB scan was sufficient?
Quick review of what wasrecently scanned when (to the best I can recall)
MWB - C:\ found trouble, did CF to fix things up.
MWB - C:\ Nothing found
MWB - C:\ +E:\ (data drive) F:\(Back up drive) G:\(Flash) - Nothing found
On-line scan - I would assume it scanned C:\ but I do not know if it scanned E, F & G.
Thanks!
Hi,
Since you used a flash drive inbetween computers I would run this on the computer we are working on.
Please download Flash_Disinfector.exe (http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe) by sUBs and save it to your desktop:
Double-click Flash_Disinfector.exe to run it.
Follow any prompts that may appear.
Wait until the program has finished scanning, then please exit the program.
The tool may ask you to insert your flash drive, or other removable drives. Please do so and allow the tool to clean it up as well.
Please restart your computer.
The name of the game is security and keeping things updated, Internet Explorer 8 is much more secure than version 7. You can download and install it running windows updates or from this link.
http://www.microsoft.com/windows/internet-explorer/worldwide-sites.aspx
At the beginning of working on this computer I gave you the option to format and reinstall windows, with the amount and type of malware you had and along with the other problems this is the route I would have taken if it was my computer.
We just do malware removal on this forum so I am going to link you to a nice windows support forum that you can post at for your other problems.
http://forums.whatthetech.com/index.php?showforum=119
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Safe Surfn
Ken
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.